
Mind your Logs: How a build log from a Jenkins leaked everything - LuD1161
https://medium.com/@aseem.shrey/mind-your-logs-how-a-build-log-from-a-jenkins-leaked-everything-603cf07fa85
======
Stratoscope
> _As I was reading the article, I found the author mentioned some of the
> dorks for Jenkins and Sonarqube._

I wonder if anyone could explain what "dork" means in this context? My
searches are only finding the common derogatory meaning, e.g. "a socially
inept person."

~~~
qiqitori
Did some Googling myself and found some related links:

[https://www.wsj.com/articles/a-hacker-and-the-perils-of-
dork...](https://www.wsj.com/articles/a-hacker-and-the-perils-of-
dorking-1459536135)

[https://pentestmag.com/zeus-scanner-advanced-dork-
searching/](https://pentestmag.com/zeus-scanner-advanced-dork-searching/)

[https://github.com/E4rr0r4/XGDork](https://github.com/E4rr0r4/XGDork)

[https://github.com/GuestGuri/dork-scanner](https://github.com/GuestGuri/dork-
scanner)

[https://www.darknet.org.uk/2017/10/sqliv-sql-injection-
dork-...](https://www.darknet.org.uk/2017/10/sqliv-sql-injection-dork-
scanning-tool/)

~~~
jcims
Also [https://www.exploit-db.com/google-hacking-database](https://www.exploit-
db.com/google-hacking-database)

------
malux85
Why are these Jenkins servers exposed to the public internet?

Serves them right for such sloppy ops

~~~
duncanawoods
Are there any good guides for setting up private networks? Google results are
overwhelmed by setting up VPNs for private browsing.

~~~
Avamander
Set up a network, don't make it public. Block everything incoming except your
VPN tunnel should you need remote access. That's how a private network works.

~~~
jsty
> Block everything incoming except your VPN tunnel should you need remote
> access

With the slight caveat that you should have at least a second out-of-band
access method for when you bork your VPN config :)

~~~
Avamander
True, but you know you have done your private network correctly if borking
your VPN config means no access.

------
lol768
I feel like the poking around on Slack crossed the line a bit. Should've gone
to be disclosed responsibly before it go to that point.

~~~
kfichter
+1, significantly over the line IMO. Seems (maybe?) OK to check token
permissions if only to avoid the hassle of reporting a dead token.

------
o-__-o
The only thing that keeps popping into my mind as I read this: is it illegal
to hack foreign computer systems?

What are the varying levels of legality? (e.g. hacking a French company would
see you extradited, hacking Iran/North Korea could bring Federal charges, but
Russia.. China..?)

~~~
kube-system
There are enough laws in most places thoroughly covering these kinds of
activities that you can safely assume it’s breaking at least some law in some
jurisdiction.

And even if you wouldn’t be in the jurisdiction that prohibits it and/or
wouldn’t be extradited for it, that doesn’t technically make it legal.

