Secrets That Survive Everything: Runtime Credential Exposure in Production Web Applications

Modern web applications rely on shift-left security controls — static secret scanning, SAST — to prevent credentials from reaching production. These controls are mature, widely deployed, and effective at what they scan: source code and repository content. They do not scan what the application serves. This paper documents two real exploitation chains in which Azure Active Directory client credentials, API gateway subscription keys, and encrypted configuration objects were found in the client-side JavaScript, runtime-fetched configuration, and API responses of production applications that had passed every pre-deployment security control in place. In both cases, the exposed credentials were combined with over-permissive service principal scopes to achieve full account takeover or mass user data exposure. The paper maps the structural gap between shift-left tooling and the runtime attack surface, identifies three structural deployment paths and one behavioral path by which secrets reach production without automated detection, and explains why both shift-left and shift-right tooling categories miss this class of vulnerability. A detection methodology for the runtime layer is presented, followed by a prioritized remediation framework covering immediate credential rotation, architectural remediation via the Backend for Frontend pattern, and ongoing monitoring controls. All findings were identified during authorized security assessments, reported to the affected organizations, remediated, and verified before this publication.