Merge pull request #255 from blacklanternsecurity/dev

liquidsec · web-flow · commit 0f210771c913 · 2025-08-15T10:35:30.000-04:00
Dev-&gt;Main
diff --git a/README.md b/README.md
@@ -34,7 +34,7 @@ Inspired by [Blacklist3r](https://github.com/NotSoSecure/Blacklist3r), with a de
 | Express_SignedCookies_ES | Checks express.js express-session middleware for signed cookies and session cookies for known 'session secret' |
 | Express_SignedCookies_CS | Checks express.js cookie-session middleware for signed cookies and session cookies for known secret |
 | Laravel_SignedCookies | Checks 'laravel_session' cookies for known laravel 'APP_KEY' |
-| ASPNET_Vstate      | Checks for a once popular custom compressed Viewstate [code snippet](https://blog.sorcery.ie/posts/higherlogic_rce/) vulnerable to RCE|
+| ASPNET_Compressedviewstate      | Checks for a once popular custom compressed Viewstate [code snippet](https://blog.sorcery.ie/posts/higherlogic_rce/) vulnerable to RCE|
 | Rack2_SignedCookies | Checks Rack 2.x signed cookies for known secret keys |
 | Yii2_SignedCookies | Checks Yii2 framework signed cookies for known cookie validation keys |
 
@@ -305,7 +305,7 @@ Symfony_SignedURL = modules_loaded["symfony_signedurl"]
 Express_SignedCookies_ES = modules_loaded["express_signedcookies_es"]
 Express_SignedCookies_CS = modules_loaded["express_signedcookies_cs"]
 Laravel_SignedCookies = modules_loaded["laravel_signedcookies"]
-ASPNET_Vstate = modules_loaded["aspnet_vstate"]
+ASPNET_Compressed_Viewstate = modules_loaded["aspnet_compressedvstate"]
 Rack2_SignedCookies = modules_loaded["rack2_signedcookies"]
 Yii2_SignedCookies = modules_loaded["yii2_signedcookies"]
 
@@ -419,7 +419,7 @@ else:
     print("KEY NOT FOUND :(")
 
 
-x = ASPNET_Vstate()
+x = ASPNET_Compressed_Viewstate()
 print(f"###{str(x.__class__.__name__)}###")
 r = x.check_secret("H4sIAAAAAAAEAPvPyJ/Cz8ppZGpgaWpgZmmYAgAAmCJNEQAAAA==")
 if r:
diff --git a/badsecrets/base.py b/badsecrets/base.py
@@ -29,6 +29,7 @@ class BadsecretsBase:
     }
 
     check_secret_args = 1
+    validate_carve = True
 
     def __init__(self, custom_resource=None, **kwargs):
         self.custom_resource = custom_resource
@@ -129,37 +130,39 @@ def carve(self, body=None, cookies=None, headers=None, requests_response=None, *
                 elif self.carve_regex():
                     s = re.search(self.carve_regex(), header_value)
                     if s:
-                        r = self.carve_to_check_secret(s)
+                        if not self.validate_carve or self.identify(s.groups()[0]):
+                            r = self.carve_to_check_secret(s)
+                            if r:
+                                r["type"] = "SecretFound"
+                            # the carve regex hit but no secret was found
+                            else:
+                                r = {"type": "IdentifyOnly"}
+                                r["hashcat"] = self.get_hashcat_commands(s.groups()[0])
+                            if "product" not in r.keys():
+                                r["product"] = self.get_product_from_carve(s)
+                            r["location"] = "headers"
+                            results.append(r)
+
+        if body:
+            if type(body) != str:
+                raise badsecrets.errors.CarveException("Body argument must be type str")
+            if self.carve_regex():
+                s = re.search(self.carve_regex(), body)
+                if s:
+                    if not self.validate_carve or self.identify(s.groups()[0]):
+                        r = self.carve_to_check_secret(
+                            s, url=kwargs.get("url", None), body=body, cookies=cookies, headers=headers
+                        )
                         if r:
                             r["type"] = "SecretFound"
-                        # the carve regex hit but no secret was found
                         else:
                             r = {"type": "IdentifyOnly"}
                             r["hashcat"] = self.get_hashcat_commands(s.groups()[0])
                         if "product" not in r.keys():
                             r["product"] = self.get_product_from_carve(s)
-                        r["location"] = "headers"
+                        r["location"] = "body"
                         results.append(r)
 
-        if body:
-            if type(body) != str:
-                raise badsecrets.errors.CarveException("Body argument must be type str")
-            if self.carve_regex():
-                s = re.search(self.carve_regex(), body)
-                if s:
-                    r = self.carve_to_check_secret(
-                        s, url=kwargs.get("url", None), body=body, cookies=cookies, headers=headers
-                    )
-                    if r:
-                        r["type"] = "SecretFound"
-                    else:
-                        r = {"type": "IdentifyOnly"}
-                        r["hashcat"] = self.get_hashcat_commands(s.groups()[0])
-                    if "product" not in r.keys():
-                        r["product"] = self.get_product_from_carve(s)
-                    r["location"] = "body"
-                    results.append(r)
-
         for r in results:
             r["description"] = self.get_description()
 
diff --git a/badsecrets/modules/aspnet_compressedviewstate.py b/badsecrets/modules/aspnet_compressedviewstate.py
@@ -0,0 +1,23 @@
+import re
+
+from badsecrets.base import BadsecretsBase
+from badsecrets.modules.aspnet_viewstate import ASPNET_Viewstate
+
+# Reference: https://blog.sorcery.ie/posts/higherlogic_rce/
+
+
+class ASPNET_compressedviewstate(BadsecretsBase):
+    identify_regex = re.compile(r"^H4sI.+$")
+    description = {"product": "ASP.NET Compressed Viewstate", "secret": "unprotected", "severity": "CRITICAL"}
+
+    def carve_regex(self):
+        return re.compile(r"<input[^>]+__(?:VIEWSTATE|VSTATE|COMPRESSEDVIEWSTATE)\"\s*value=\"(.*?)\"")
+
+    def check_secret(self, compressed_viewstate):
+        if not self.identify(compressed_viewstate):
+            return None
+
+        uncompressed = self.attempt_decompress(compressed_viewstate)
+        if uncompressed and ASPNET_Viewstate.valid_preamble(uncompressed):
+            r = {"source": compressed_viewstate, "info": "Custom ASP.NET Viewstate (Unprotected, Compressed)"}
+            return {"secret": "UNPROTECTED (compressed)", "details": r}
diff --git a/badsecrets/modules/aspnet_viewstate.py b/badsecrets/modules/aspnet_viewstate.py
@@ -22,7 +22,7 @@ class ASPNET_Viewstate(BadsecretsBase):
 
     def carve_regex(self):
         return re.compile(
-            r"<input.+__VIEWSTATE\"\svalue=\"(.+)\"[\S\s]+<input.+__VIEWSTATEGENERATOR\"\svalue=\"(\w+)\""
+            r"<input.+__VIEWSTATE\"\svalue=\"(.+?)\"[\S\s]+<input.+?__VIEWSTATEGENERATOR\"\svalue=\"(\w+)\""
         )
 
     def carve_to_check_secret(self, s, url=None, **kwargs):
diff --git a/badsecrets/modules/aspnet_vstate.py b/badsecrets/modules/aspnet_vstate.py
diff --git a/badsecrets/modules/express_signedcookies_cs.py b/badsecrets/modules/express_signedcookies_cs.py
@@ -23,6 +23,7 @@ class ExpressSignedCookies_CS(BadsecretsBase):
         "secret": "Express.js Secret (cookie-session)",
         "severity": "HIGH",
     }
+    validate_carve = False
 
     def carve_regex(self):
         return re.compile(r"(\w{1,64})=([^;]{4,512});.{0,100}?\1\.sig=([^;]{27,86})")
diff --git a/badsecrets/modules/jsf_viewstate.py b/badsecrets/modules/jsf_viewstate.py
@@ -176,10 +176,7 @@ def myfaces_decrypt(self, ct_bytes, password_bytes, dec_algos, hash_sizes):
 
     def get_hashcat_commands(self, jsf_viewstate_value, *args):
         commands = []
-        try:
-            decoded_viewstate = base64.b64decode(urllib.parse.unquote(jsf_viewstate_value))
-        except binascii.Error:
-            return []
+        decoded_viewstate = base64.b64decode(urllib.parse.unquote(jsf_viewstate_value))
         sig = decoded_viewstate[:32]
         data = decoded_viewstate[32:]
 
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "badsecrets"
-version = "0.11.0"
+version = "0.12.0"
 description = "About"
 authors = ["A library for detecting known or weak secrets on across many platforms"]
 license = "GPL-3.0"
@@ -39,4 +39,4 @@ build-backend = "poetry_dynamic_versioning.backend"
 [tool.poetry-dynamic-versioning]
 enable = true
 metadata = true
-format = 'v0.11.{distance}'
+format = 'v0.12.{distance}'
diff --git a/requirements.txt b/requirements.txt
@@ -2,7 +2,7 @@ asgiref==3.9.1 ; python_version >= "3.9" and python_version < "4.0"
 blinker==1.9.0 ; python_version >= "3.9" and python_version < "4.0"
 certifi==2025.8.3 ; python_version >= "3.9" and python_version < "4.0"
 cffi==1.17.1 ; python_version >= "3.9" and python_version < "4.0" and platform_python_implementation != "PyPy"
-charset-normalizer==3.4.2 ; python_version >= "3.9" and python_version < "4.0"
+charset-normalizer==3.4.3 ; python_version >= "3.9" and python_version < "4.0"
 click==8.1.8 ; python_version >= "3.9" and python_version < "4.0"
 colorama==0.4.6 ; python_version >= "3.9" and python_version < "4.0"
 cryptography==45.0.6 ; python_version >= "3.9" and python_version < "4.0"
diff --git a/tests/all_modules_test.py b/tests/all_modules_test.py
@@ -147,21 +147,28 @@ def test_carve_multiple_vulns():
         assert len(r_list) == 2
 
 
-def test_carve_empty_vstate():
-    empty_vstate_html = """
-    <div class="aspNetHidden">
-<input type="hidden" name="__VSTATE" id="__VSTATE" value="" />
-
+def test_multiple_identify_only():
+    multiple_identify_only_html = """
+<html>
+Sys.Application.add_init(function() {
+    $create(Telerik.Web.UI.RadDialogOpener, {"_dialogDefinitions":{"ImageManager":{"SerializedParameters":"gu/9FdlxGQtp3wJ4VYsztVIo4pJdVfx+avM0aIZW/uTgJSZ5/AAxbU4GGUKRs215dF8p6TtngJtECy3LRMWPIu1P5McaaErOxD+by6a2Yb30WAAojJl+m1UupXkL/v3YdemtyxS9wYF9KVyhfx5Yzm4OehnRXfFu1HfRURde3TOn6HfVn4JxtEj7q8vmuXl/CKcLNU2BLl3F4XWD4GygzP0qE84ROqRukQXvlU7YKKjfk3ENvIgCroXLfCnSKMsSHxp/5J/EKvrdPXImEoMYj8LAZkrFpj0KLBjRf35EWb2dH83iwp0r5Yo5RdBMIf+M0UNzDY98MF5Z3C2QCR963AcrgmK+K5K3yxacuypTwu8lGDjge6tSl8z9O1jQZn69morT9TJHiu7W0G/eomSBYklRTJ57qoNUGMImWZVjQeVghi0+WoySW2//h4eFtF3WUc9CoohDWqOaFfAxbvy7qWp7jvW1GA+AOQ6TwmegXZpjJDzEyLQChme23yGqVVavA/BxCalWk/Q3pxTLnKpeD4fRlewRxolepMAXcx1wRhMPDklR0c2BYHtR0nDBg6/xAXbJB/Hf601XbVsv9mDk33FqQIrI0ygY6mMY1xdm+l7qYxpIP/ZYCRiHjCaGGuEHxUYwQSQmuFKbz3ywZWZnFFhT3eBxmJ1hfDtsSeNmKgVdvWTYRsHzmD4KBGCgAdIfRthQReAPAsJ0O7MUKaRtf7N2JmS7C/n1yKQ0xGo6VP1L8/CMobrSY345IPtRa0oygaes1Pi3aPtzbXBG7sZQSoTlF51vsIEUmLbtdRNCDZwqem1zH7UOEXLGMrIGR+C01xJ5Ya/dP6UCgCFa0hbP6COusmg7n4v2ZIHZl/9mQ2AA31/nJEc8KxOb4AWADaMCBqLJaNhPSK9SrZf37Y1xilHPZVIR8/HffLAKhloObICba7p4Nl8fMbKoFQ0b9sruVRHnV7AOlrqNh4h23p6FUmqn+RmyOYSm+IzUvRwWoehL4QMV5JK4C5D9V4FRigUK8fShc+RI4p7kVt6KWdemvn9SmZ9iTce++1X8NALh+xF8zJHgkpU77NGB8zxG6b2vPorZVLQCt29OQr1wlHXkHH8FSz80Q7U3McxJvVn5vGWLu5UlDBtGLcYIKCVWtes52In+tk/V4EdGCt9aVq6pZOVRSPjDJV+PLYp/Oqq4x2VlEHwV5eY/nMwFRLvzWucgtsfcHdg4gnaBDc609jF6rFvPZ2iSc1wzREXn6GDTsQQbJqcmY1hIdKd+lvZ3vfAY9EjxBY9JcWEcdqBV6MKxYpxHCWWqykavrE0CgReDLB1BrfWKMYB2bnWRuan74iWGmMMcMYgwR9qG4aorJlhcYJVjCf3vJywTRNUtlzt+rwjcMaNRu9ISXn5HdFIN68zMAYIUZOx2lxNreS39ETDhIlS2OJ6oQFyWZtn76I3Qrpn1QJJ2dr0u9uEkQRQuxtUTaRPKh493o/LgY3IR/FCCZYIPvYuSOnS0/QpD3bzyIUc5lKGZlBy3abTOJ7qfMMmULPVa4b8Ga17dgl9/l1KQS8c7tavz5pujcTf/J/KgLcvIRmoVX299LJSllTpy0X5mjI9HrsmrXC+PgJRMNHH+a9nr9X88IH+lBX5KX5iZR0rDANVFVNUdSq7/L54ghp4YNiQc/W0xtfIa9sFZE/p0gJLpMbecz34B7DKYLNmvae7kfynKInUiHYbf70htV3Q53d+baee33mGBb50CYbAtggugadKGuzAll3kTBr0J/Pa1uF9EuqpBVuKwJXPWQr8GgEvZg7nHKlsKeypn7ZPk9Pp30d77qvlb1xL65cHLeaNo4Kl1TRLNQLIrPB7HUiO8BDXbwCxTX8n6UlJ++93L8G6HaXEerRpjKiIBHBjPhDvEznOsBvr9nHcdteSou4Np7Ppno+S1Y6xuftPC6BUYk7vTDcsd26+AfeYzVTtIBAjqwLI+W+vxjEMmG4Eja0b9dpWAKrKjBv5irX239fXtrtZCGSaAvAvr25TmSL5FTJ1VDld76X5UON92i0r0tUncnBLmyUVqJRxTqhowlxKGBYeuVuLRST4pEjciSF/VU0OpTH21aA6n5duIpT4NsacsNBpmq8Un7DcZJWf1RE0p4ZngzcejpbvtdM9s7ENXQZ5B/fcv2kcB+OU8E/CBM/8dL98GTpCLk325I08rzcy3D71U2lqJawzFUSpiz2oOHFrXuB4XGqoyV0QdJ6pl3udBI2rrtZEdf/bRkQtBRMkpuqE4tBE2chQC5U3mbCgJnRVxGYvAa09Z6sSuN2f7SK1MjOiRSqY4D5HLsVbOVhnjHmaEtqg30HL/1626DDYoGfNk0to8dt22YoPfXPYM0HcWZGe1Xn8tVLhIHdZ7O0nL13jteiIy/ocXWltx3RbUPRSFyNYCihiviKfs1JFRM2ZrgObufcCUYamsKaFUxY9vn33d0GTEIpTS5yA/fUOHg0fgPzpuXAeYURLfWmjDly6lwIARg8n7q8wciG6vGVUttTyEOmQFsLcgUqnq1okMtprnPeL5ApPVYDKW1YGBcRWVr0OE9vBDwu4F8Jm8ImzTNKKlOyjCaFIY+2kVfX9FQIjuhozMt4nEjQKFoYpqR95ioVwQokpSHRsUf7y+giLKcNassC5ckKMus8QzODPGiV+l3JoesawGgMqFuRW/PVu2rrkxftDxxuOiMc9CuRi5gD3TzH1T5jkxdNYFnUVYetmC0A57c21ZoBlZEhdBYKr3x2L5S9hTJ+x45D/Vp/xt1r8sOYW5Nld8o3B64ZpwGbkcXO6C3XdlwRBOMSaPfou+QMn62ZZFcEww3S7S9IEXXxKkx4DnCMrt3Db0NKljgFLTxFrn6U+6y5hPImlcNxYn+fiSbSVjO6r4PexpS1dIVE4+dl6+mCP8C+w3GqNlAmfIBaBu0BwPWZwjkQNismNNWtX4ZpP6943FCdrKs/JrD/YIiQdw95m3f6bzaS/nxFHqhHncZFfSNiw529rS4oe8HbY3E5nu3ebFh23UvdyfkQUgRbiQ8nJeGCqLIni3up1MSJH+MlrtBMQ/nsvJY1gDaAyV/xZRX50RHh1dLcCkjE+V1HmANSb4mKADTap/V+4edbevJmLAuCATsW605K6lpQmkjLm5924IjHosz6bFKg==8zQWzBzk62Vm/XeBmdqRMhYIThXkyJTVloacbW0axEs=","Width":"770px","Height":"588px","Title":"Image Manager"}
+});
+</script>
+</form>
+</body>
+</html>
 """
-
     with requests_mock.Mocker() as m:
         m.get(
-            f"http://emptyvstate.carve-all.badsecrets.com/",
+            f"http://multipleidentifyonly.carve-all.badsecrets.com/",
             status_code=200,
-            text=empty_vstate_html,
+            text=multiple_identify_only_html,
         )
 
-        res = requests.get(f"http://emptyvstate.carve-all.badsecrets.com/")
+        res = requests.get(f"http://multipleidentifyonly.carve-all.badsecrets.com/")
         r_list = carve_all_modules(requests_response=res)
-        assert r_list
-        assert r_list[0]["product"] == "EMPTY '__VSTATE' FORM FIELD"
+        assert len(r_list) == 2
+        assert r_list[0]["type"] == "IdentifyOnly"
+        assert r_list[1]["type"] == "IdentifyOnly"
+        assert r_list[0]["description"]["product"] in ["Telerik DialogParameters", "Telerik Hash Key Signature"]
+        assert r_list[1]["description"]["product"] in ["Telerik DialogParameters", "Telerik Hash Key Signature"]
diff --git a/tests/aspnet_compressedviewstate_test.py b/tests/aspnet_compressedviewstate_test.py
@@ -1,10 +1,10 @@
 from badsecrets import modules_loaded
 
-ASPNETVstate = modules_loaded["aspnet_vstate"]
+ASPNETcompressedviewstate = modules_loaded["aspnet_compressedviewstate"]
 
 
-def test_aspnet_vstate():
-    x = ASPNETVstate()
+def test_aspnet_compressedviewstate():
+    x = ASPNETcompressedviewstate()
     found_key = x.check_secret("H4sIAAAAAAAEAPvPyJ/Cz8ppZGpgaWpgZmmYAgAAmCJNEQAAAA==")
     assert found_key
     assert found_key["secret"] == "UNPROTECTED (compressed)"
diff --git a/tests/examples_cli_test.py b/tests/examples_cli_test.py
@@ -708,8 +708,8 @@ def test_example_cli_dotnet45_url(monkeypatch, capsys):
         assert ("Details: Mode [DOTNET45]") in captured.out
 
 
-def test_example_cli_aspnetvstate_url(monkeypatch, capsys):
-    base_vulnerable_page_aspnet_vstate = """
+def test_example_cli_aspnetcompressedviewstate_url(monkeypatch, capsys):
+    base_vulnerable_page_aspnet_compressedviewstate = """
          <!doctype html>
 
 <!--[if IE 9]> <html class="no-js lt-ie10" lang="en" xmlns:fb="http://ogp.me/ns/fb#"> <![endif]-->
@@ -738,7 +738,7 @@ def test_example_cli_aspnetvstate_url(monkeypatch, capsys):
         m.get(
             f"http://172.16.25.128/form.aspx",
             status_code=200,
-            text=base_vulnerable_page_aspnet_vstate,
+            text=base_vulnerable_page_aspnet_compressedviewstate,
         )
 
         monkeypatch.setattr(
@@ -753,7 +753,52 @@ def test_example_cli_aspnetvstate_url(monkeypatch, capsys):
         captured = capsys.readouterr()
         assert ("Known Secret Found!") in captured.out
         assert ("Product: H4sIAAAAAAAEAPvPyJ/Cz8ppZGpgaWpgZmmYAgAAmCJNEQAAAA==") in captured.out
-        assert ("ASP.NET Compressed Vstate") in captured.out
+        assert ("ASP.NET Compressed Viewstate") in captured.out
+
+
+def test_example_cli_aspnetcompressedviewstate_url_alternateparamname(monkeypatch, capsys):
+    base_vulnerable_page_aspnet_compressedviewstate = """
+         <!doctype html>
+
+<!--[if IE 9]> <html class="no-js lt-ie10" lang="en" xmlns:fb="http://ogp.me/ns/fb#"> <![endif]-->
+<!--[if gt IE 9]><!--> <html class="no-js" lang="en" xmlns:fb="http://ogp.me/ns/fb#"> <!--<![endif]-->
+<head> 
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ 
+    <meta http-equiv="X-UA-Compatible" content="IE=edge" /> 
+
+</head>
+<body id="_body">
+  <a id="page_top" name="page_top"></a>
+    <form method="post" action="./default.aspx" id="form1">
+<div class="aspNetHidden">
+<input type="hidden" name="__COMPRESSEDVIEWSTATE" id="__COMPRESSEDVIEWSTATE" value="H4sIAAAAAAAEAPvPyJ/Cz8ppZGpgaWpgZmmYAgAAmCJNEQAAAA==" />
+<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="" />
+</div>   
+<p>content</p>
+</html>
+    """
+    with requests_mock.Mocker() as m:
+        m.get(
+            f"http://172.16.25.128/form.aspx",
+            status_code=200,
+            text=base_vulnerable_page_aspnet_compressedviewstate,
+        )
+
+        monkeypatch.setattr(
+            "sys.argv",
+            [
+                "python",
+                "--url",
+                "http://172.16.25.128/form.aspx",
+            ],
+        )
+        cli.main()
+        captured = capsys.readouterr()
+        assert ("Known Secret Found!") in captured.out
+        assert ("Product: H4sIAAAAAAAEAPvPyJ/Cz8ppZGpgaWpgZmmYAgAAmCJNEQAAAA==") in captured.out
+        assert ("ASP.NET Compressed Viewstate") in captured.out
 
 
 def test_example_cli_dotnet45_manual(monkeypatch, capsys):
@@ -879,6 +924,7 @@ def test_example_cli_redirects_default(monkeypatch, capsys):
 serverside_jsfviewstate_html = '<input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="-7521159484971427124:9144573339387850859" autocomplete="off" /></form>'
 
 
+# We don't actually care at all about this if it has the server-side viewstate - its completely useless
 def test_example_cli_jsfviewstate_serverside(monkeypatch, capsys):
     with requests_mock.Mocker() as m:
 
@@ -891,7 +937,9 @@ def test_example_cli_jsfviewstate_serverside(monkeypatch, capsys):
         monkeypatch.setattr("sys.argv", ["python", "--url", "http://example.com/serverside_jsfviewstate.html"])
         cli.main()
         captured = capsys.readouterr()
-        assert "Cryptographic Product Identified (no vulnerability)" in captured.out
+        assert (
+            not "Cryptographic Product Identified (no vulnerability)" in captured.out
+        )  # make sure we didn't report it at all
         assert not "Potential matching hashcat commands:" in captured.out
 
 

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ class ASPNET_Viewstate(BadsecretsBase):`
`22`	`22`
`23`	`23`	`def carve_regex(self):`
`24`	`24`	`return re.compile(`
`25`		`- r"<input.+__VIEWSTATE\"\svalue=\"(.+)\"[\S\s]+<input.+__VIEWSTATEGENERATOR\"\svalue=\"(\w+)\""`
	`25`	`+ r"<input.+__VIEWSTATE\"\svalue=\"(.+?)\"[\S\s]+<input.+?__VIEWSTATEGENERATOR\"\svalue=\"(\w+)\""`
`26`	`26`	`)`
`27`	`27`
`28`	`28`	`def carve_to_check_secret(self, s, url=None, **kwargs):`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ class ExpressSignedCookies_CS(BadsecretsBase):`
`23`	`23`	`"secret": "Express.js Secret (cookie-session)",`
`24`	`24`	`"severity": "HIGH",`
`25`	`25`	`}`
	`26`	`+ validate_carve = False`
`26`	`27`
`27`	`28`	`def carve_regex(self):`
`28`	`29`	`return re.compile(r"(\w{1,64})=([^;]{4,512});.{0,100}?\1\.sig=([^;]{27,86})")`