PRP: Secret extractor for postgres #1826
Description
-
Secret name:
PostgreSQL Connection URI (postgresql://username:password@host:5432/database) -
Popularity of secret/service:
PostgreSQL is one of the most widely used open-source relational databases globally. It consistently ranks among the top databases in industry adoption and is heavily used in SaaS platforms, fintech systems, startups, and enterprise environments. It is also the default database for many cloud platforms and modern backend frameworks. -
Risk in exposing the secret:
Exposing a PostgreSQL connection URI containing credentials can allow attackers to:- Gain full read/write access to application databases
- Dump sensitive user data (PII, credentials, tokens)
- Modify or delete production records
- Escalate privileges if superuser or elevated roles are exposed
- Execute database functions or stored procedures
- Pivot into internal infrastructure if the database is not publicly exposed
Production PostgreSQL databases frequently store authentication data and core business logic records, making exposure high severity.
-
Validation method, if any:
- Attempt TCP connection to the PostgreSQL server (default port 5432)
- Perform PostgreSQL protocol handshake
- Attempt authentication using provided credentials
- If login succeeds and a session is established, the secret is valid
-
Connection URI Formats:
• Standard URI Format
◦ Format:
postgresql://<username>:<password>@<host>:5432/<database>
◦ Example:
postgresql://appuser:password@db.example.com:5432/appdb• Alternative Short Form
◦ Format:
postgres://<username>:<password>@<host>:5432/<database> -
Resources:
Reviving the topic under a new issue because #992 is closed and unclaimed.