Description

Old ArcGIS installs (and directory archives containing files related to them) sometimes contain proxy.config files. These are configuration files that are used by ArcGIS to (funnily enough) configure proxies for backend comms. This method of setting proxies is now deprecated by ArcGIS as it now has it's own native settings (see this repo for more details).

However, these proxy files sometimes contain credentials for either local users, domain users or both. A recent pentest I was on against a client running trufflehog against their external infrastructure failed to pick up proxy.config file similar to the following:

<?xml version="1.0" encoding="utf-8" ?>
<ProxyConfig allowedReferers="*"
             mustMatch="true">
    <serverUrls>
        <serverUrl url="https://maps.XXXXXXXXXXXXX/arcgisserver/rest/services"
		username="vp.viewer.test" password="XXXXXXXXXXXXX" tokenServiceUri="https://maps.XXXXXXXXXXXXX/viewpoint/sharing/generateToken" matchAll="true" />
        <serverUrl url="https://maps.XXXXXXXXXXXXX/arcgisXXXXXXXXXXXXX/rest/services"
		username="XXXXXXXXXXXXX" password="XXXXXXXXXXXXX" matchAll="true" />
		<serverUrl url="https://gis-services.XXXXXXXXXXXXX/arcgis/rest/services"
		username="XXXXXXXXXXXXX" password="XXXXXXXXXXXXX" matchAll="true" />
    </serverUrls>
</ProxyConfig>

<!-- See https://github.com/Esri/resource-proxy for more information -->

URLs, usernames and passwords censored for privacy

Preferred Solution

Support for a new detector that picks up credentials in the <serverUrl> object of the above XML doc.

Additional Context

<serverUrl> does not always contain credentials, it can be just a URL.

I would try and do this myself but Go really isn't my language and I haven't the time in the foreseeable future to learn it sadly :(

References

More details can be provided on request