HIGH: Badsecrets Report

DESCRIPTION LAST UPDATED: 2025-09-08

DEFAULT SEVERITY LEVEL: HIGH

This report identifies the use of known or very weak cryptographic secrets across a variety of web frameworks/platforms. These are often the result of software developers copy-pasting or forking code published on the Internet that includes a copied cryptographic secret, for example from a project on GitHub, official documentation of a project, or even a book, etc.

To identify these “bad” secrets, we use the badsecrets library from Black Lantern Security.

Please review https://github.com/blacklanternsecurity/badsecrets?tab=readme-ov-file#current-modules for a list of currently supported checks.

The “bad” secrets found will have a badsecrets_type field set to SecretFound.

For the purpose of identifying these bad secrets, we do not conduct any new scans, but apply the checks to already collected scan data.

Please note: we are checking publicly exposed cryptographic products for known secrets, for example at the viewstate level – we are not exploiting any vulnerabilities or accessing protected assets in any way.

For better understanding of the issues being reported, please read Black Lantern’s blog post introducing their badsecrets library.

These known “bad” secrets should not be in use. If you receive an alert from us, make sure to replace these known “secrets” with secure values in your applications, but also investigate the platform for evidence of potential earlier misuse/compromise. You can replicate the results by using the Badsecrets tooling yourself.

You can track the results of our Badsecrets scans on our public Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report has an IPv4 and IPv6 versions.

Filename(s): scan_badsecrets, scan6_badsecrets

 

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the HTTP response came on (always TCP)
  • port
    Port that the HTTP response came from
  • hostname
    Reverse DNS name of the device in question
  • tag
    http/ssl/badsecret
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • http
    Hypertext Transfer Protocol Version
  • http_code
    HTTP Response code: e.g., 200, 401, 404
  • server
    HTTP Server type
  • request_path
    HTTP Request path
  • cert_serial_number
    Certificate serial number
  • subject_common_name
    The Common Name (CN) of the SSL certificate
  • issuer_common_name
    The Common Name of the entity that signed the SSL certificate
  • subject_organization_name
    The subject organization name (ON) of the certificate
  • issuer_organization_name
    Issuing organization name
  • sha1_fingerprint
    SHA1 fingerprint of certificate
  • sha256_fingerprint
    SHA256 fingerprint of certificate
  • badsecret_location
    Section the secret was found e.g., "header", "body"
  • badsecret_module
    Detection module e.g., "ASP.NET Viewstate"
  • badsecret_type
    Set to SecretFound. This is really a result more than a type, however we adhere to the naming convention from the badsecrets framework.
  • badsecret_product
    The product of the cryptography operation
  • badsecret_secret
    Secret found

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","badsecret_location","badsecret_module","badsecret_type","badsecret_product","http","http_code","server","request_path","cert_serial_number","subject_common_name","issuer_common_name","subject_organization_name","issuer_organization_name","sha1_fingerprint","sha256_fingerprint","badsecret_secret"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,80,node01.example.com,badsecret;http,64512,ZZ,Region,City,0,ptr,,body,"ASP.NET Viewstate",SecretFound,"Viewstate: PNSf/QVj4YLcQ3vKwYnYhrVZkfmgBPZmO0wX4g3+rBiqGWAPII9mm9Fr5fEDEuYKzSbInVP+DiM3ON5xNZqhaEP1QI9NUorLBmVGLJfSctKhQd+F/nSEhRs5oVLXncyCuFJduR55UB+oDgbyJFx2srAbPMXfovnI+XrTcjdPFGyWWo3WdYb1USBA+U2y4FjRlY2eFYmGUTDhGv22GqXNNjQ8RW/aQFUF6qli8OwC4POJyhXAcyui1mDA4UtGKz/Yg3tBaZbIgFR5Spy7Bp4stVdzM64IEoqZBZrnuSsBca4mb0wZSl52flOfq9UWRNXfPTx30CKqE9pdNzHZRyGOU6aY0CjUvwluLdd+e0u5eVIoKXANOwiAfpWEsAycH6f3fQRW3pJAbpusR4C27vO3kEPxj6OPEc30oclYtmZ4MvFBRoqs+3jt4lcJjxJ2AVT4bkyAgS2m19UIp/9MTpvsS8+v4Dps0FtXaP5xKVWoGpX0j3sl96IlGk9EMyad5Mz2FkRuZI4vwGuQQc/Cb42mdGpm4A2zSopqRY0N+caE1XmT8flE5Ke3OQBi1Zvwe6VaadrChlw2iQqdN6cYM9bJL6hIDNQBW4rcvXCJ62/kuPDEbemOB0cbsbzA4fxDF8MHzQjnusmlUCAXZdun8bBs6u2B58VeSfIWZEVQ/gUECVekEQpCQ4wbeiMlxpuAszOb1/HPusneeXSiJ/7shOU4WQUhhFBOpAolWq7f+UFdr+JIdO6JiWvkHkSPXaZQROEiANftCc+sMXmyK/fJF8iOnm6uDx4/MV9fe4cabxKg6aEFbJ3gbU11zjdDz0ro71PTnNTLda21+BnsJkSDGBrNGGxFa0McaYFHm3VuThwteMJeCJiKXuaEFP1lswX56Jdds92tWFoWKdyel6bS5hfzCXAEVTlMGl8sBync/bTOmZGk90Eehsn+0bm5P2MNxcu/gzkXfJHF0PaKCQU22zktROHTqOP2qOdSr1GovqpREnH8j2YfYMIheCxdwjkRiQq020UN16s9jrEdnsqtr/wCClyoU8LmSJ0QR5xQ0OAzBFjwMvifaApHhdFmP5d001VmIcWXwsRJTsKaIgx1sKVe3sSqpJxiVHS2RD5lgr5OkjmRbRN0X00AjlyOCd77hnObsPsJfCCXlxUp+pcP1g5Y0o97yg8= Generator: C2EE9ABB",HTTP/1.1,200,Microsoft-IIS/10.0,/,B3F13DFBDBA2D8B2,example.com,example.com,,,03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,"ASP.NET MachineKey"
"2010-02-10 00:00:01",high,192.168.0.2,tcp,80,node02.example.com,badsecret;http,64512,ZZ,Region,City,0,ptr,,body,"ASP.NET Viewstate",SecretFound,"Viewstate: /wEPDwUKMTg2NTEyODQ4MGRkfWZJdohNIZbFfHZ2JlQ5eWmcUv8= Generator: CFCE67DB",HTTP/1.1,200,Microsoft-IIS/10.0,/,B3F13DFBDBA2D8B2,example.com,example.com,,,03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,"ASP.NET MachineKey"
"2010-02-10 00:00:02",high,192.168.0.3,tcp,80,node03.example.com,badsecret;http,64512,ZZ,Region,City,0,ptr,,body,"ASP.NET Viewstate",SecretFound,"Viewstate: zNCSN8Hpaqe6Zqvp56Ovth9VaB8vM50rqAaN47DZciSpUwgSwNAOgUylmJ1VmRAfPKeeq3TAh3rTPfQdB2lLyTmmF+8= Generator: C2EE9ABB",HTTP/1.1,200,Microsoft-IIS/10.0,/,B3F13DFBDBA2D8B2,example.com,example.com,,,03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,"ASP.NET MachineKey"

Our 139 Report Types

« Back to Network Reporting