FTP Server and Client Credential Files
Detects passwords stored in FTP server and client configuration files, including FileZilla server/client recentservers.xml base64-encoded passwords, proftpd-style shadow passwd lines with hashed credentials, and sftp-config.json plaintext password fields. Mirrors Snaffler rules KeepFtpServerConfigByName and KeepFtpClientConfigConfigByName.
- Type
- regex
- Engine
- boost_regex
- Confidence
- high
- Confidence justification
- High confidence: the FileZilla base64 Pass element and proftpd passwd line format are highly specific to FTP credential files. The JSON password field form is less specific and is gated with strong contextual evidence at 75+.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, PCI-DSS
- Data categories
- credentials, security, network
- Scope
- specific
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible
Pattern
<Pass\s+encoding="base64">[A-Za-z0-9+/=]{8,}</Pass>Corroborative evidence keywords
FileZilla, proftpd, recentservers, sftp-config, FtpUser, Host, FTP, SFTP
Proximity: 300 characters
Should match
<Pass encoding="base64">UGFzc3dvcmQxMjM=</Pass>— FileZilla recentservers.xml base64-encoded password elementftpuser:$6$saltsalt$hashedpassword1234567890abcdef:1001:1001::/home/ftpuser:/sbin/nologin— proftpd shadow passwd line with SHA-512 ($6$) hashadminuser:$apr1$xyz12345$abcdefghij0123456789ab:0:0::/root:/bin/bash— proftpd passwd line with APR-MD5 ($apr1$) hash"password": "S3cr3tFTPp@ss"— JSON password field in sftp-config.json plaintext password
Should not match
<Pass encoding="base64">abc</Pass>— Base64 value too short (fewer than 8 chars)root:x:0:0:root:/root:/bin/bash— Standard /etc/passwd shadow placeholder (x), no hash algorithm marker"password": ""— Empty JSON password field
Known false positives
- Other XML formats that happen to use a Pass element with base64 encoding for non-credential data such as certificates or binary blobs. Mitigation: Require proximity to FileZilla-specific elements (Host, Port, Protocol, User) or FTP/SFTP keyword context.
- Any JSON configuration file containing a "password" key, such as database configs, API configs, or test fixtures. Mitigation: Gate the JSON password form strictly at 75+ with SFTP/FTP-specific evidence (sftp-config, FtpUser, Host, FileZilla, proftpd).