lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Microsoft SharePoint

Microsoftsaas4 credentials

Credentials4 documented
01

SharePoint Add-in / Azure AD App Client Secret

sharepoint / add-in-client-secret

SharePoint add-ins and Microsoft Entra ID applications use client IDs with client secrets or certificates for app-only access to SharePoint resources.

generated on installuser definedsecretsecret value

Location

http header
Authorization

Bearer access token minted for SharePoint app-only/API calls

config file

web.config, appsettings.json, Azure Functions settings, PowerShell scripts, and deployment manifests

environment
CLIENT_SECRET, SHAREPOINT_CLIENT_SECRET, AZURE_CLIENT_SECRET
secret store

Azure Key Vault, app service settings, CI/CD variables, and password managers

source code

SharePoint add-ins, migration scripts, and integration repos

logs

OAuth debug logs and HTTP traces

02

App-only Certificate Private Key

sharepoint / certificate-private-key

Certificate-based SharePoint app-only authentication uses private keys associated with registered apps or add-ins.

generated on installuser definedsecretkey pair

Looks like

pattern
pattern

private key used by SharePoint/Azure AD app-only certificate auth

-----BEGIN (RSA |PRIVATE |ENCRYPTED )?PRIVATE KEY-----

Location

config file

PFX/PEM files, appsettings, PowerShell certificate paths, and deployment packages

secret store

Azure Key Vault certificates, local certificate stores, and CI secret files

artifact

build artifacts, migration bundles, and backups

04

Webhook Client State Secret

sharepoint / webhook-client-state

SharePoint webhook subscriptions can include a clientState value used by receivers to validate notifications.

user definedgenerated on installsecretsecret value

Location

http response

webhook subscription metadata containing clientState

config file

webhook receiver configuration and deployment manifests

secret store

Azure Key Vault and app settings

source code

webhook receiver source and tests

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.