Pentesting

🛑 Disclosure: A lightweight proof-of-concept (PoC) tool was developed by hackteam.red for internal red teaming and authorized penetration testing. The PoC will not be released publicly, but it is actively used to assess Yandex Cloud Object Storage configurations for clients who explicitly permit such testing. 🔍 Overview Yandex Cloud provides an S3-compatible Object Storage service that allows customers to host static websites via public endpoints like: http://.website.yandexcloud.net While this is a convenient feature for developers and enterprises, misconfigurations or oversight can lead to unintended public exposure of sensitive technical documentation, internal architecture details, or — in worst cases — source code and configuration files. ...

TL;DR: I built an ethical, open-source scanner called FleaMarket that finds exposed API keys in fresh GitHub repos. In a recent scan, it discovered live Google/Gemini keys in public .env files — and I helped owners secure them before any abuse occurred. 🕵️‍♂️ Why Hunt for Secrets? API keys in public code are like leaving your house keys under the doormat. Even if you think no one will look — bots do. Thousands of keys are scraped every hour, leading to: ...