Stripping PII & Secrets

[douglasg14b]

I kind of want to implement my own API for accepting dumps (Not really for replaying), and writing them as WRR files.

Various reasons, but playing around is one. Another would be stream processing the data to redact PII, tokens, passwords, and sensitive information in an attempt to see how close to safe I can make dumps from authenticated, logged in, browser sessions.

I'm not a python dev, far from it. Is there a spec that defines the I/O format for the data dumping endpoint so I can implement my own?

[oxij]

Dumping endpoints simply take raw `WRR` dumps as request bodies. See `submitHTTPOne` function in `extension/background/core.js`.

Another would be stream processing the data to redact PII, tokens, passwords, and sensitive information in an attempt to see how close to safe I can make dumps from authenticated, logged in, browser sessions.

Hmm, that's a good idea. `hoardy-web serve` could be made to strip <head>/<meta> tokens, hidden form fields, and simply ignore anything with `/login/` in the URL. Or, maybe, a better way would be to put such `WRR`s into a separate directory and add `hoardy-web strip` command that would censor `WRR` -> `WRR` in various ways.

[douglasg14b]

Stripping PII & Secrets

Reliably stripping out sensitive data is a rather difficult proposition, there are two major areas of sensitive data:

1. Secrets/Credentials
2. PII

Tools, libraries, and models tend to focus on one of these and not necessarily both. Meaning that most detection will, at best, be a two-step process. One for PII and another for secrets.

Each of these tend to have their own solutions, all of which tend to be heuristics based (At least the most effective ones). Employing combinations of:

1. Direct Field/value identification
   • Most consistent for known data, extremely inflexible & unreliable for unknown data
   • Perf: Fastest
2. Regex
   • Same as above, just with greater flexibility
   • Perf: Fast
3. Contextual Data
   • More heuristic, not necessarily guaranteed, good for unknown data)
   • Perf: Slower
4. ML Model Named Entity Recognition (NER) & NLP
   • Peak heuristics, most flexible for unknown data, inconsistent
   • Perf: Very Slow
5. Fuzzy Matchers for known formats & data
   • Relatively flexible for unknown data, limited to the scope of what is already known
   • Perf: Fast Enough

A combination of all 5 of these things tend to yield, at best, passable detection of PII & secrets. Which is where things get difficult, if this much works yields something that's barely passable, how do you get something that's robust? Well, with a lot of work, and/or combination of existing tools.

Known Tools/Libs

Just dumping research here

1. Microsoft Presidio
   • 🔎 Focus: PII
   • 🧩 Strategy: Mutifaceted
   • 🤯 Complexity: High
   • 👌 Plug & Play: ✅
2. piiscan
   • 🔎 Focus: PII
   • 🧩 Strategy: NLP
   • 🤯 Complexity: Mid
   • 👌 Plug & Play: ✅
3. secretlint

• 🔎 Focus: Secrets
• 🧩 Strategy: Pattern Matching
• 🤯 Complexity: Mid
• 👌 Plug & Play: ✅
• Note: Meant for linting, but can probably be used to analyze arbitrary text

4. Yelp detect-secrets
   • 🔎 Focus: Secrets
   • 🧩 Strategy: Mutifaceted
   • 🤯 Complexity: High
   • 👌 Plug & Play: ❌
   • Note: Appears to be the most reliable option for secret detection
5. redact-pii
   • 🔎 Focus: Secrets
   • 🧩 Strategy: Pattern Matching
   • 🤯 Complexity: Low
   • 👌 Plug & Play: ✅
6. Scrubadub
   • 🔎 Focus: PII
   • 🧩 Strategy: Pattern Matching Optionally NLP
   • 🤯 Complexity: Low
   • 👌 Plug & Play: ✅
7. Octopii
   • 🔎 Focus: PII (Images?)
   • 🧩 Strategy: NLP
   • 🤯 Complexity: Mid
   • 👌 Plug & Play: ✅
8. Capital One DataProfiler
   • 🔎 Focus: PII
   • 🧩 Strategy: NLP & ML
   • 🤯 Complexity: Very High
   • 👌 Plug & Play: ✅
9. ValX
   • 🔎 Focus: PII
   • 🧩 Strategy: NLP
   • 🤯 Complexity: Mid
   • 👌 Plug & Play: ✅
10. SAP Credential Digger

• 🔎 Focus: Secrets (Committed)
• 🧩 Strategy: NLP
• 🤯 Complexity: Very High
• 👌 Plug & Play: ❌

11. Trufflehog

• 🔎 Focus: Secrets
• 🧩 Strategy: NLP Pattern matching
• 🤯 Complexity: Very High
• 👌 Plug & Play: ❌