Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Blind SSRF in secret scanners: what identity teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Researchers reported blind SSRF variants in credential verification flows, including detector paths that could be influenced by scanned content and redirect-following behavior that might target internal hosts, according to TruffleHog. The issue is less about response theft than about unnecessary outbound trust inside secret-scanning workflows.

NHIMG editorial — based on content published by TruffleHog: Contributor Spotlight on strengthening SSRF protections in credential verification

Questions worth separating out

Q: How should security teams restrict secret scanners that verify live credentials?

A: Security teams should separate verification traffic from general application traffic, use strict egress allowlists, and block access to localhost and internal metadata endpoints.

Q: Why do live secret verification flows create blind SSRF risk?

A: Because the scanner accepts untrusted input and turns it into outbound requests.

Q: What do security teams get wrong about secret scanner safety?

A: Teams often assume that a security tool is automatically low risk.

Practitioner guidance

  • Constrain verification egress to known destinations Use network allowlists for live credential checks and block access to localhost, metadata services, and other internal targets from scanning workers.
  • Disable unsafe redirect behaviour in scanner transports Audit HTTP client settings for redirect following and enforce destination revalidation after any redirect hop.
  • Treat scanner runtime permissions as part of NHI governance Map secret scanners and their verification workers into the same governance review as tokens, service accounts, and automation roles.

What's in the full article

TruffleHog's full post covers the implementation detail this analysis intentionally leaves at a higher level:

  • Code-level examples of the detector changes made to reduce blind SSRF exposure in verification paths.
  • The specific GCP and JWT detector behaviors that created the request-routing issue.
  • The security researcher disclosure context and why the findings were handled as hardening rather than CVEs.
  • The source article's own commentary on why reducing unnecessary outbound requests matters in scanner design.

👉 Read TruffleHog's analysis of blind SSRF in credential verification →

Blind SSRF in secret scanners: what identity teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Unnecessary outbound request surface is a governance problem, not just a code hardening issue. Secret-scanning tools are often treated as harmless utilities, but once they verify credentials by calling external endpoints they become network-capable actors with their own trust boundary. That boundary is easy to forget in CI/CD and developer workflows. Practitioners should treat every live verification path as part of the NHI control plane, not as a passive detector.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when a scanning workflow can reach internal systems?

A: Accountability sits with the teams that own the scanning workflow, the runtime network policy, and the identity or platform controls around the worker. If a verifier can reach internal systems, that reach must be governed as an access decision, not as a convenience feature.

👉 Read our full editorial: Blind SSRF in secret scanning changes NHI verification risk



   
ReplyQuote
Share: