Skip to content

Commit 3a10d5b

Browse files
LloydCoderLloydCoder
authored
feat(rules): add 5 Nigerian fintech & betting hardcoded secret detectors
New high-impact rules detecting hardcoded credentials from major Nigerian payment and betting platforms: • Paystack (live/test keys) • Flutterwave/Rave • Remita merchant + hash • Interswitch MAC keys • SportyBet/BetKing JWT tokens Same patterns already shipped in: - Nuclei: projectdiscovery/nuclei-templates#14253 - TruffleHog: trufflesecurity/trufflehog#4588 Author: @LloydCoder (Tinlance) 🇳🇬
1 parent 1b69c3f commit 3a10d5b

File tree

1 file changed

+75
-0
lines changed

1 file changed

+75
-0
lines changed

rules/nigeria/fintech/lloydcoder-nigerian-fintech-secrets.yaml

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,75 @@
1+
rules:
2+
- id: hardcoded-paystack-secret-key
3+
patterns:
4+
- pattern-either:
5+
- pattern: sk_live_...
6+
- pattern: sk_test_...
7+
- pattern-not: sk_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8+
- pattern-not: sk_test_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9+
message: >-
10+
Hardcoded Paystack secret key detected (live or test). Never commit real keys!
11+
Use environment variables instead (e.g., os.getenv("PAYSTACK_SECRET_KEY")).
12+
languages: [python, javascript, typescript, java, go, ruby, php]
13+
severity: ERROR
14+
metadata:
15+
category: security
16+
subcategory: secret-management
17+
cwe: "CWE-798: Use of Hard-coded Credentials"
18+
owasp: "A07:2021 – Identification and Authentication Failures"
19+
confidence: HIGH
20+
license: Commons Clause License
21+
author: Lloydcoder
22+
source: https://github.com/Lloydcoder
23+
tags: nigeria,paystack,fintech,secrets
24+
25+
- id: hardcoded-flutterwave-secret-key
26+
patterns:
27+
- pattern-either:
28+
- pattern: FLWSECK-...
29+
- pattern: FLWSECK_TEST-...
30+
- pattern: FLWSECK_...
31+
- pattern-not: FLWSECK-xxxxxxxxxxxxxxxxxxxx
32+
message: >-
33+
Hardcoded Flutterwave (Rave) secret key detected. Use env vars instead!
34+
languages: [python, javascript, typescript, java, go]
35+
severity: ERROR
36+
metadata:
37+
category: security
38+
subcategory: secret-management
39+
author: Lloydcoder
40+
tags: nigeria,flutterwave,rave,fintech,secrets
41+
42+
- id: hardcoded-remita-credentials
43+
patterns:
44+
- pattern-regex: \b\d{10,15}\|[a-zA-Z0-9]{40,}\b
45+
- pattern-regex: merchantId\s*[:=]\s*["']?\d{10,}["']?
46+
message: >-
47+
Possible Remita merchant ID + API hash or key exposed in code.
48+
languages: [python, javascript, typescript]
49+
severity: ERROR
50+
metadata:
51+
author: Lloydcoder
52+
tags: nigeria,remita,fintech,secrets
53+
54+
- id: hardcoded-interswitch-mackey
55+
patterns:
56+
- pattern-regex: macKey["']?\s*[:=]\s*["']?[0-9A-Fa-f]{64}["']?
57+
message: >-
58+
Interswitch Webpay MAC key hardcoded. This is extremely sensitive!
59+
languages: [python, javascript, typescript, php]
60+
severity: ERROR
61+
metadata:
62+
author: Lloydcoder
63+
tags: nigeria,interswitch,webpay,fintech,secrets
64+
65+
- id: hardcoded-sportybet-betking-token
66+
patterns:
67+
- pattern-regex: eyJ[A-Za-z0-9-_]{100,}
68+
- pattern-regex: Bearer [A-Za-z0-9-_]{50,}\.[A-Za-z0-9-_]{50,}\.[A-Za-z0-9-_]{50,}
69+
message: >-
70+
Possible SportyBet/BetKing JWT or admin token hardcoded. High risk!
71+
languages: [python, javascript, typescript, go]
72+
severity: ERROR
73+
metadata:
74+
author: Lloydcoder
75+
tags: nigeria,betting,sportybet,betking,secrets,jwt

0 commit comments

Comments
 (0)