Loading…
← Back to schedule
Secrets That Survive Everything: The Shift-Right Runtime Gap Left Unguarded
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
A bug bounty researcher found Azure credentials in a JavaScript file and 
marked the report informational. The credentials were live production values -
four Azure AD fields sitting in a public JS bundle, enough to authenticate as 
the application itself. The frontend had documented its own backend. Full 
account takeover. The application's token had been granted the ability to 
perform user-level operations, every account in the system was reachable. 
The organization had GitLeaks in CI/CD and static secret scanning on pull 
requests. The credentials were still live.


That was one chain. A second application used CryptoJS to encrypt its 
configuration, a common pattern in SPAs where developers believe encrypting 
the config protects it. The decryption key was hardcoded in the same 
JavaScript file, three lines away from the encrypted blob. The secret to 
unlock everything was sitting next to the lock. Same credential pattern at 
the end. Same result.


Shift-left tools scan what you commit. They do not scan what you serve. 
Build-time environment injection bakes live keys into webpack bundles that 
never touch the repository. CI/CD pipeline variable substitution materializes 
secrets only in the build artifact, after every scanner has run. SSR state 
blobs injected by Next.js and Nuxt carry credentials into HTML that no 
pre-deployment scanner ever sees. Once a secret reaches production, it 
disappears from every scanner's view. Sometimes that disappearance is 
engineered, developers suppress scanner alerts on credentials the application 
genuinely requires, trading automated monitoring for a green pipeline. The 
only things finding runtime secrets are manual penetration testers, bug bounty 
researchers, and attackers. Two of those three report what they find.


This talk walks through both exploitation chains in detail, maps the full 
shift-right gap in the security tooling landscape, and closes with a live 
demo using a purpose-built intentionally vulnerable healthcare portal, a 
HIPAA-branded application exposing Twilio, SendGrid, Stripe, and Firebase 
credentials in its public JavaScript files, and leaking internal service keys 
in response headers on every single request.


The demo uses SecretSifter, a free Burp extension, browser tool, and desktop 
app built for the runtime layer to find every secret passively, without 
configuration, as traffic flows.


Security teams leave with a clear picture of where their shift-left controls 
stop, a taxonomy of the six exposure mechanisms that bypass them, and a free 
tool they can deploy against their own applications the same day.


Speakers
avatar for Hemanth Gorijala

Hemanth Gorijala

Global Penetration Testing Lead
Hemanth Gorijala is an application security professional and penetration tester with 13 years of experience. He conducts web application security assessments and reviews vulnerability reports in enterprise bug bounty programs. The exploitation chains in this talk are drawn from his... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link