While reviewing the company's public Git repository, a penetration tester notices that a debug log has been committed. The log contains session-token strings and internal hostnames such as db01.internal.example.local. Before escalating the finding, the tester wants to verify whether the information in the log actually exposes usable secrets without performing intrusive actions. Which reconnaissance task would BEST help the tester confirm the sensitivity of what was leaked?
Grep the entire repository history and its public forks for the leaked hostnames or token patterns
Attempt to resolve the leaked hostnames using public DNS tools from an external network
Query public certificate-transparency logs for certificates that include the leaked hostnames
Submit the leaked session tokens to the organization's SSO endpoint to test their validity
Recursively searching the repository- including its commit history, branches and any public forks- for the same hostnames, tokens or related credentials is the most direct, non-intrusive way to confirm whether the debug log discloses additional sensitive details or reusable secrets. Certificate-transparency or DNS lookups may reveal whether the hostnames appear elsewhere on the internet, but they do not validate token exposure. Submitting the tokens to an SSO endpoint is an active exploitation attempt that goes beyond information gathering and could violate legal scope.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are debug logs and why can they be risky?
Open an interactive chat with Bash
What steps can be taken to secure public code repositories?
Open an interactive chat with Bash
What is the purpose of searching for additional internal references in a repository?