From 69d9ad929158a757b54a9359710851883e2b6d0e Mon Sep 17 00:00:00 2001 From: patrick-projectdiscovery Date: Sat, 13 Dec 2025 14:00:08 -0500 Subject: [PATCH 1/4] Update credential-monitoring.mdx docs: add HTML meta tag + upload TXT file verification methods for credential monitoring --- cloud/credential-monitoring.mdx | 124 +++++++++++++++++++++++--------- 1 file changed, 92 insertions(+), 32 deletions(-) diff --git a/cloud/credential-monitoring.mdx b/cloud/credential-monitoring.mdx index 28a0b86..4b70bbf 100644 --- a/cloud/credential-monitoring.mdx +++ b/cloud/credential-monitoring.mdx @@ -47,53 +47,113 @@ title="Try Credential Monitoring Now" **Access Control**: Viewing employee passwords is only accessible to users with **Owner** or **Admin** account types within your organization. -## Domain Verification (Required for Organization-Wide Leaks) +# Domain verification — Credential Monitoring -To access **Employee Leaks** and **Customer/User Leaks** for your organization, you must first verify ownership of your domain using a DNS TXT record. +You can verify domain ownership in Credential Monitoring using three methods: +1. DNS TXT record +2. HTML meta tag +3. Upload TXT file -### How to Verify Your Domain +The verification modal in the app provides copy/download helpers for each method. -1. In **ProjectDiscovery Cloud**, open **Credential Monitoring → Domains**. -2. Click **Add Domain**, enter your business domain (for example: example.com), and click **Verify Now**. -3. A **DNS TXT record** will appear — copy this value. -4. Add the TXT record to your DNS configuration through your provider (e.g., Cloudflare, GoDaddy, Route53). -5. Wait a few minutes for DNS propagation. -6. Return to the dashboard and click **Verify** to complete the process. +--- -When verification succeeds, your domain will show a ✅ Verified status in the list. +## 1) DNS TXT record -#### Example DNS TXT Record +**When to use:** Standard method when you can edit DNS records for the domain. - Type: TXT - Host: _pd-verification.example.com - Value: pd-verification=2a9f34b8e6b74912adbe4f +**What to add** +Create a TXT record on the root of your domain. The verification value will look like: -### Verifying Multiple Domains + projectdiscovery-verification= -You can verify multiple domains from the same account. (Note: This feature requires an Enterprise subscription) -Each domain requires its own TXT record and verification step. +**Where to add** +- Host / Name: `@` (or “root” depending on your DNS UI) +- Type: `TXT` +- Value: `projectdiscovery-verification=` -Example: -- example.com -- example.org -- brand-example.io +**Notes & troubleshooting** +- DNS propagation can take time. The app may show that DNS changes can take up to 48 hours in some cases, though many verifications succeed in minutes. +- Check from a terminal: -### Troubleshooting + dig TXT yourdomain.com -**No TXT record appears after clicking “Verify Now.”** -→ Your account email is not a business domain. Log in with your work email (for example: name@company.com). + or, if given a specific record name: -**I logged in with GitHub and can’t verify.** -→ Log out and sign in using your company email directly. + dig TXT _pd-verification.yourdomain.com -**Verification fails after adding the TXT record.** -→ Wait 5–10 minutes for DNS propagation, then retry. -→ You can check manually with: +- Once verification succeeds, the domain will show **Verified** in the Domains list. - dig TXT yourdomain.com +--- + +## 2) HTML meta tag + +**When to use:** When you can edit and deploy your site’s HTML but cannot change DNS. + +**What to add** +Place this meta tag inside the root HTML `` of your site (the page served at `https://yourdomain/`): + + + +**Steps** +1. Add the meta tag to the root document’s ``. +2. Deploy the change to the live site. +3. Click **Verify** in Credential Monitoring. + +**Troubleshooting** +- Confirm the tag is present in the deployed page: + + curl -s https://yourdomain | grep projectdiscovery-verification + + You should see the meta tag with the verification string. +- If Verify fails, confirm the change is on the live site (not staging) and that any CDN/cache is serving the updated page. + +--- + +## 3) Upload TXT file + +**When to use:** When you can upload static files to the site root but don’t want to change DNS or HTML. + +**What to add** +Create a file named `pd-verification.txt` at your site’s document root (for example `https://yourdomain/pd-verification.txt`) whose entire contents are exactly the verification string provided by the UI: + + + +**Steps** +1. Create `pd-verification.txt` containing only the verification string. +2. Upload it to `https://yourdomain/pd-verification.txt`. +3. Click **Verify** in Credential Monitoring. + +**Troubleshooting** +- Confirm the file is reachable and contains the expected string: + + curl -s https://yourdomain/pd-verification.txt + + The output should exactly match the verification string. +- Ensure the file is served over HTTPS if your site uses TLS, and that it is accessible at the root path. + +--- + +## How to verify in the app + +1. Go to **Credential Monitoring → Domains → Add Domain**. +2. Enter your domain and click **Continue**. +3. In the verification modal pick the method tab (DNS record / HTML meta tag / Upload TXT file) and follow the instructions. The modal offers copy and download helpers. +4. After you add the record, meta tag, or file, click **Verify**. A successful verification marks the domain as **Verified**. + +--- + +## Quick troubleshooting checklist + +- **DNS:** `dig TXT yourdomain.com` — confirm `projectdiscovery-verification=` is present. +- **HTML meta tag:** `curl -s https://yourdomain | grep projectdiscovery-verification` — confirm the meta tag is in the ``. +- **TXT file:** `curl -s https://yourdomain/pd-verification.txt` — confirm the file contains the verification string. + +--- + +## Notes -**Government (.gov), education (.edu), or regulated domains** -→ TXT verification works the same way. Use an official organization email to access full breach details. +- The UI now supports DNS TXT, HTML meta tag, and Upload TXT file verification methods. ### FAQs About Verification From ba575a653cbb082bece61d28bd63a8078ccfb6d4 Mon Sep 17 00:00:00 2001 From: patrick-projectdiscovery Date: Sat, 13 Dec 2025 14:05:13 -0500 Subject: [PATCH 2/4] Update credential-monitoring.mdx --- cloud/credential-monitoring.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud/credential-monitoring.mdx b/cloud/credential-monitoring.mdx index 4b70bbf..7766730 100644 --- a/cloud/credential-monitoring.mdx +++ b/cloud/credential-monitoring.mdx @@ -47,9 +47,9 @@ title="Try Credential Monitoring Now" **Access Control**: Viewing employee passwords is only accessible to users with **Owner** or **Admin** account types within your organization. -# Domain verification — Credential Monitoring +## Domain Verification (Required for Organization-Wide Leaks) -You can verify domain ownership in Credential Monitoring using three methods: +To access **Employee Leaks** and **Customer/User Leaks** for your organization, you must first verify ownership of your domain. You can verify domain ownership in Credential Monitoring using three methods: 1. DNS TXT record 2. HTML meta tag 3. Upload TXT file From 8ccdb6940d9a214751a994dad8c9e5642bb2ce38 Mon Sep 17 00:00:00 2001 From: PDTeamX <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 15 Jan 2026 03:00:17 +0530 Subject: [PATCH 3/4] leaks docs update --- .../leaks/get-domain-customer-leaks.mdx | 5 +- api-reference/leaks/get-leak-info.mdx | 5 +- cloud/credential-monitoring.mdx | 257 +++++++++++------- tools/alterx/install.mdx | 23 +- tools/alterx/overview.mdx | 23 +- tools/alterx/running.mdx | 23 +- tools/alterx/usage.mdx | 23 +- tools/chaos/install.mdx | 23 +- tools/chaos/overview.mdx | 23 +- tools/chaos/running.mdx | 23 +- tools/chaos/usage.mdx | 23 +- tools/cloudlist/install.mdx | 23 +- tools/cloudlist/overview.mdx | 23 +- tools/cloudlist/providers.mdx | 23 +- tools/cloudlist/running.mdx | 23 +- tools/cloudlist/usage.mdx | 23 +- tools/cvemap/install.mdx | 23 +- tools/cvemap/overview.mdx | 23 +- tools/cvemap/running.mdx | 23 +- tools/cvemap/usage.mdx | 23 +- tools/dnsx/install.mdx | 23 +- tools/dnsx/overview.mdx | 23 +- tools/dnsx/running.mdx | 23 +- tools/dnsx/usage.mdx | 23 +- tools/httpx/install.mdx | 23 +- tools/httpx/overview.mdx | 23 +- tools/httpx/running.mdx | 23 +- tools/httpx/usage.mdx | 23 +- tools/index.mdx | 23 +- tools/interactsh/install.mdx | 23 +- tools/interactsh/integrations.mdx | 23 +- tools/interactsh/overview.mdx | 23 +- tools/interactsh/running.mdx | 23 +- tools/interactsh/server.mdx | 23 +- tools/interactsh/usage.mdx | 23 +- tools/katana/install.mdx | 23 +- tools/katana/overview.mdx | 23 +- tools/katana/running.mdx | 23 +- tools/katana/usage.mdx | 23 +- tools/naabu/install.mdx | 23 +- tools/naabu/overview.mdx | 23 +- tools/naabu/running.mdx | 23 +- tools/naabu/usage.mdx | 23 +- tools/notify/install.mdx | 23 +- tools/notify/overview.mdx | 23 +- tools/notify/provider-config.mdx | 23 +- tools/notify/running.mdx | 23 +- tools/notify/usage.mdx | 23 +- tools/nuclei/authenticated-scans.mdx | 23 +- tools/nuclei/faq.mdx | 23 +- tools/nuclei/input-formats.mdx | 23 +- tools/nuclei/install.mdx | 23 +- tools/nuclei/mass-scanning-cli.mdx | 23 +- tools/nuclei/nuclei-sdk.mdx | 23 +- tools/nuclei/overview.mdx | 23 +- tools/nuclei/running.mdx | 23 +- tools/nuclei/usage.mdx | 23 +- tools/pdtm/install.mdx | 23 +- tools/pdtm/overview.mdx | 23 +- tools/pdtm/running.mdx | 23 +- tools/pdtm/usage.mdx | 23 +- tools/subfinder/install.mdx | 23 +- tools/subfinder/overview.mdx | 23 +- tools/subfinder/running.mdx | 23 +- tools/subfinder/usage.mdx | 23 +- tools/uncover/install.mdx | 23 +- tools/uncover/overview.mdx | 23 +- tools/uncover/running.mdx | 25 +- tools/uncover/usage.mdx | 25 +- 69 files changed, 228 insertions(+), 1561 deletions(-) diff --git a/api-reference/leaks/get-domain-customer-leaks.mdx b/api-reference/leaks/get-domain-customer-leaks.mdx index f818a33..f1c1ea3 100644 --- a/api-reference/leaks/get-domain-customer-leaks.mdx +++ b/api-reference/leaks/get-domain-customer-leaks.mdx @@ -33,11 +33,10 @@ The new consolidated endpoint offers several advantages: - **Future-Proof**: All new features will be added to the consolidated endpoint - **Better Analytics**: Enhanced grouping and summary capabilities -## Privacy Enhancements +## Security Enhancements -The new consolidated endpoint includes enhanced privacy protections for customer leaks: +The new consolidated endpoint includes enhanced security controls for customer leaks: -- **Password Masking**: Customer leak passwords are never unmasked (privacy protection) - **Access Control**: Stricter validation of domain ownership - **Audit Logging**: Better tracking of access to customer data diff --git a/api-reference/leaks/get-leak-info.mdx b/api-reference/leaks/get-leak-info.mdx index 5a00661..a87f422 100644 --- a/api-reference/leaks/get-leak-info.mdx +++ b/api-reference/leaks/get-leak-info.mdx @@ -12,7 +12,6 @@ Retrieve detailed information for a specific leak by its ID. This endpoint provi - **Personal leaks**: Always accessible if the leak belongs to your email - **Employee/Customer leaks**: Requires domain verification for the associated domain - **Password unmasking**: Requires domain verification -- **Customer leak privacy**: Passwords are never unmasked for customer leaks (privacy protection) ### Leak ID Format The leak ID must be a 32-character MD5 hash (e.g., `b3652f2555841f7652badd9804859f4e`). @@ -101,11 +100,10 @@ The leak ID must be a 32-character MD5 hash (e.g., `b3652f2555841f7652badd980485 ### When Passwords Are Unmasked - Personal leaks: Always unmasked for the account owner - Employee leaks: Unmasked with domain verification -- Customer leaks: **Never unmasked** (privacy protection) +- Customer leaks: Unmasked with domain verification ### When Passwords Are Masked - Shows as `***MASKED***` when access is not authorized -- Customer leak passwords are always masked for privacy protection ## Usage Examples @@ -122,7 +120,6 @@ curl -X POST "https://api.projectdiscovery.io/v1/leaks/info" \ ## Security Considerations ### Privacy Protection -- Customer leak passwords are never exposed to maintain customer privacy - Access is strictly controlled based on domain verification - All access attempts are logged for security auditing diff --git a/cloud/credential-monitoring.mdx b/cloud/credential-monitoring.mdx index 7766730..0189f33 100644 --- a/cloud/credential-monitoring.mdx +++ b/cloud/credential-monitoring.mdx @@ -36,138 +36,200 @@ title="Try Credential Monitoring Now" | Feature | Free Users | Free Business Domain Users | Enterprise Users | | :------ | ---------- | -------------------------- | ---------------- | | Personal email exposures | ✓ | ✓ | ✓ | -| Organization-wide credential exposures | - | ✓ (Requires DNS verification) | ✓ | -| View employee passwords | - | ✓ (Requires DNS verification) | ✓ | +| Organization-wide credential exposures | ✗ | ✓ (Requires DNS verification) | ✓ | | Export data (JSON/CSV) | ✓ | ✓ | ✓ | | API access | ✓ | ✓ | ✓ | -| Multi-domain monitoring | - | - | ✓ | -| Priority support | - | - | ✓ | +| Multi-domain monitoring | ✗ | ✗ | ✓ | +| Priority support | ✗ | ✗ | ✓ | - -**Access Control**: Viewing employee passwords is only accessible to users with **Owner** or **Admin** account types within your organization. - - -## Domain Verification (Required for Organization-Wide Leaks) +## Domain Verification -To access **Employee Leaks** and **Customer/User Leaks** for your organization, you must first verify ownership of your domain. You can verify domain ownership in Credential Monitoring using three methods: -1. DNS TXT record -2. HTML meta tag -3. Upload TXT file + +**Required for Organization-Wide Leaks**: To access **Employee Leaks** and **Customer/User Leaks** for your organization, you must first verify ownership of your domain. + -The verification modal in the app provides copy/download helpers for each method. +### How to Verify in the App + + + + Go to **Credential Monitoring → Domains → Add Domain** + + + Type your domain name and click **Continue** + + + Select your preferred method tab (DNS record / HTML meta tag / Upload TXT file) and follow the instructions. Use the built-in copy and download helpers. + + + After adding the record, meta tag, or file, click **Verify**. A successful verification marks the domain as **Verified** ✓ + + --- -## 1) DNS TXT record - -**When to use:** Standard method when you can edit DNS records for the domain. - -**What to add** -Create a TXT record on the root of your domain. The verification value will look like: - - projectdiscovery-verification= - -**Where to add** -- Host / Name: `@` (or “root” depending on your DNS UI) -- Type: `TXT` -- Value: `projectdiscovery-verification=` - -**Notes & troubleshooting** -- DNS propagation can take time. The app may show that DNS changes can take up to 48 hours in some cases, though many verifications succeed in minutes. -- Check from a terminal: +### Verification Methods - dig TXT yourdomain.com +Choose from three verification methods based on your access level: - or, if given a specific record name: + + + Best when you have DNS access + + + Best when you can edit your website + + + Best when you can upload files to your site + + - dig TXT _pd-verification.yourdomain.com - -- Once verification succeeds, the domain will show **Verified** in the Domains list. + +The verification modal in the app provides **copy/download helpers** for each method to make setup quick and easy. + --- -## 2) HTML meta tag - -**When to use:** When you can edit and deploy your site’s HTML but cannot change DNS. - -**What to add** -Place this meta tag inside the root HTML `` of your site (the page served at `https://yourdomain/`): +#### Method 1: DNS TXT Record - - -**Steps** -1. Add the meta tag to the root document’s ``. -2. Deploy the change to the live site. -3. Click **Verify** in Credential Monitoring. + +**Recommended** — Standard method when you have access to edit DNS records for the domain. + -**Troubleshooting** -- Confirm the tag is present in the deployed page: + + + Add a TXT record on the root of your domain with the following value: + + ``` + projectdiscovery-verification=YOUR_VERIFICATION_STRING + ``` + + + | Setting | Value | + |---------|-------| + | Host / Name | `@` (or "root" depending on your DNS provider) | + | Type | `TXT` | + | Value | `projectdiscovery-verification=YOUR_VERIFICATION_STRING` | + + + Click **Verify** in Credential Monitoring. Once successful, your domain will show as **Verified**. + + + + +- **DNS propagation** can take up to 48 hours, though most verifications succeed within minutes +- Verify your record is live using terminal: + +```bash +dig TXT yourdomain.com +``` - curl -s https://yourdomain | grep projectdiscovery-verification +Or for specific record names: - You should see the meta tag with the verification string. -- If Verify fails, confirm the change is on the live site (not staging) and that any CDN/cache is serving the updated page. +```bash +dig TXT _pd-verification.yourdomain.com +``` + --- -## 3) Upload TXT file - -**When to use:** When you can upload static files to the site root but don’t want to change DNS or HTML. - -**What to add** -Create a file named `pd-verification.txt` at your site’s document root (for example `https://yourdomain/pd-verification.txt`) whose entire contents are exactly the verification string provided by the UI: +#### Method 2: HTML Meta Tag - + +Best when you can edit and deploy your site's HTML but cannot change DNS settings. + -**Steps** -1. Create `pd-verification.txt` containing only the verification string. -2. Upload it to `https://yourdomain/pd-verification.txt`. -3. Click **Verify** in Credential Monitoring. + + + Place this meta tag inside the `` section of your root HTML page (`https://yourdomain/`): + + ```html + + ``` + + + Push the updated HTML to your live site. + + + Click **Verify** in Credential Monitoring. + + + + +Confirm the tag is present in the deployed page: + +```bash +curl -s https://yourdomain | grep projectdiscovery-verification +``` -**Troubleshooting** -- Confirm the file is reachable and contains the expected string: +If verification fails: +- Ensure the change is on the **live site** (not staging) +- Clear any CDN/cache that might be serving an old version + - curl -s https://yourdomain/pd-verification.txt +--- - The output should exactly match the verification string. -- Ensure the file is served over HTTPS if your site uses TLS, and that it is accessible at the root path. +#### Method 3: Upload TXT File ---- + +Best when you can upload static files to your site root but don't want to modify DNS or HTML. + -## How to verify in the app + + + Create a file named `pd-verification.txt` containing only your verification string: + + ``` + YOUR_VERIFICATION_STRING + ``` + + + Upload the file so it's accessible at `https://yourdomain/pd-verification.txt` + + + Click **Verify** in Credential Monitoring. + + + + +Confirm the file is reachable and contains the expected string: + +```bash +curl -s https://yourdomain/pd-verification.txt +``` -1. Go to **Credential Monitoring → Domains → Add Domain**. -2. Enter your domain and click **Continue**. -3. In the verification modal pick the method tab (DNS record / HTML meta tag / Upload TXT file) and follow the instructions. The modal offers copy and download helpers. -4. After you add the record, meta tag, or file, click **Verify**. A successful verification marks the domain as **Verified**. +If verification fails: +- Ensure the file is served over **HTTPS** +- Verify it's accessible at the exact root path + --- -## Quick troubleshooting checklist +### Quick Troubleshooting Reference -- **DNS:** `dig TXT yourdomain.com` — confirm `projectdiscovery-verification=` is present. -- **HTML meta tag:** `curl -s https://yourdomain | grep projectdiscovery-verification` — confirm the meta tag is in the ``. -- **TXT file:** `curl -s https://yourdomain/pd-verification.txt` — confirm the file contains the verification string. +| Method | Command | Expected Result | +|--------|---------|-----------------| +| **DNS** | `dig TXT yourdomain.com` | Shows `projectdiscovery-verification=...` | +| **HTML** | `curl -s https://yourdomain \| grep projectdiscovery-verification` | Shows the meta tag in `` | +| **File** | `curl -s https://yourdomain/pd-verification.txt` | Shows the verification string | --- -## Notes - -- The UI now supports DNS TXT, HTML meta tag, and Upload TXT file verification methods. - ### FAQs About Verification -**Do I need to verify to see personal leaks?** -No — personal leaks are automatically visible for the email you used to sign up. Verification is only required for organization-wide views. - -**Can I verify multiple domains?** -Yes, each domain requires its own TXT record. - -**How long does verification take?** -Usually 5–10 minutes, depending on DNS propagation time. - -**Do I need to reverify later?** -No, once a domain is verified it remains linked unless the TXT record is removed. + + + No — personal leaks are automatically visible for the email you used to sign up. Verification is only required for organization-wide views. + + + Only **Enterprise customers** can have multiple domains verified. You can self-verify each domain individually or reach out to support for bulk verification. + + + Usually 5–10 minutes, depending on DNS propagation time. + + + No, once a domain is verified it remains linked unless the verification record is removed. + + ## How It Works @@ -281,7 +343,6 @@ flowchart TD - `buyer@outlook.com` with stored passwords for `shop.hooli.com` - **Exclusions**: Does not include employee emails (those are classified as Employee Leaks) - **Access**: Available to verified Business Domain Users and Enterprise customers -- **Privacy**: Email addresses shown, but passwords are never displayed to protect customer privacy ### Key Classification Distinction @@ -319,10 +380,6 @@ Our classification system uses advanced pattern matching and domain analysis to - **Duplicate Prevention**: Cross-category filtering ensures employee emails don't appear in customer leak categories - **False Positive Reduction**: Multiple validation layers minimize misclassification - -**Important**: Customer leak data shows email addresses for identification purposes but never displays actual passwords to maintain customer privacy and comply with data protection standards. - - ## Understanding Malware-Based Credential Theft ### How Malware Steals Credentials @@ -410,7 +467,7 @@ Integrate these API endpoints with your security tools to automatically trigger A: No, credential visibility is restricted to Owner and Admin accounts only. This ensures sensitive breach data is only accessible to authorized personnel responsible for security. **Q: Why can't I see employee passwords?** -A: Business Domain Users can view employee passwords data after DNS verification. Only Enterprise customers can monitor multiple domains. Customer passwords are never displayed to any user tier to protect customer privacy. +A: Business Domain Users can view employee passwords data after DNS verification. Only Enterprise customers can monitor multiple domains. **Q: How do I view my personal leaked credentials?** A: You can automatically view all leaked credentials associated with the email address you used to sign up. Simply navigate to "My Leaks" to see any exposures linked to your personal email account - no additional verification required. diff --git a/tools/alterx/install.mdx b/tools/alterx/install.mdx index bdc8cc1..3767f16 100644 --- a/tools/alterx/install.mdx +++ b/tools/alterx/install.mdx @@ -1,32 +1,11 @@ --- title: 'Redirecting...' description: 'This page has moved to /opensource/alterx/install' +redirect: /opensource/alterx/install --- -import { useEffect } from 'react'; - -export const RedirectComponent = () => { - useEffect(() => { - window.location.replace('/opensource/alterx/install'); - }, []); - - return null; -}; - - - # 🔄 Redirecting... You are being redirected to [/opensource/alterx/install](/opensource/alterx/install). If you are not automatically redirected, [click here](/opensource/alterx/install). - -