Jira Secrets Hunter - Helps you find credentials and sensitive contents in Jira tickets. A handy tool for red-team activities, internal assessments and bug-bounties. It performs search based on the keyword-list provided and does regular expression matching for secretz analysis. The search will go deep enough to cover both description and comments section of Jira tickets.

Requires: Python3

sudo pip3 install -r requirements.txt

You can configure Jira auth token in the file config.json.

For jira self-hosted software, the auth token is usually Basic base64_encode([email protected]:password)

(Note: The username could be with or without email domain in it, depending on how your company uses it)

Yes, you will have to perform Basic authentication, since Jira doesn't provide a feature to generate REST API tokens for self-hosted Jira servers as of writing this. The feature request JRASERVER-67869 is still open.

python3 jecretz.py --url "https://jira.domain.tld/" --threads 50 --out output.txt

If your Jira is behind Okta or any other SSO, make sure to establish SSO session before you run this tool.

usage: jecretz.py [-h] -u URL [-t threads] [-o file]

Jecretz, Jira Secrets Hunter

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     jira instance url, eg: https://jira.domain.tld/
  -t threads, --threads threads
                        default: 10
  -o file, --out file   file to save output to, eg: -o output.txt

I won't be responsible for any action you may perform with this tool. Be careful with them threads.

Twitter: @sahad_nk