Github security bug bounty hunting

Github Security
n|u - The Open security community
Chennai Meet
Presenter : Vinothkumar
Date : 27/04/2019

About Me
Application security engineer @ Freshworks, Inc.
Blogger @ https://tutorgeeks.blogspot.com
Tweet @vinothpkumar
Github @ https://github.com/tutorgeeks

Agenda for the session
1. What is Github
2. Using Github / Github Gist search for bug bounty hunting
3. Securing Wiki
4. Securing Forked repos
5. Security Audit log
6. Post commit security check using Gitrob
7. Pre commit security check using Git Secrets
8. Github security best practises

1.What is Github
● GitHub is a code hosting platform for collaboration and version control.
● GitHub lets you (and others) work together on projects.
● 28 million users and 57 million repositories making it the largest host of source code
in the world.
● Parent company : Microsoft (2018–present)
● Written in Ruby

2.Using Github search for bug bounty hunting
Github is a great place to look for credentials and private API keys. Here’s a list of a few
items that you could use to find information about your target.
● “example.com” API_key
● “example.com” secret_key
● “example.com” aws_key
● “example.com” Password
● “example.com” FTP
● “example.com” login
● “example.com” github_token

PayTM
“paytm.com “ “password”
Bounty awarded : Rs.21200
Status : Fixed
https://twitter.com/s4thi5h_infosec/status/1067004873663639552

Snapchat
Bounty hunter Th3G3nt3lman was awarded $15,000 after discovering and reporting a
sensitive auth token that was accidentally posted by a Snapchat software engineer.
https://medium.com/@cosmobugbounty/bounty-of-the-week-15-000-snapchat-leak-af38f882d3ac

Github security bug bounty hunting

Search Github Gist [ Mostly Ignored ]
GitHub Gist is used instantly share code, notes, and snippets.
● Helps to create public and secret gist.
● Secret gist is only protected by a token. Use with caution while creating secret gist
since developer could paste the secret gist public along with the token.
site:gist.github.com “companyname”

Zomato - Mandate 2FA
● Zomato’s Github org was compromised using the leaked password of 000webhost.
● Attacker used the credential to login into Zomato Github org account [ 2FA is not
implemented at the time of the hack]
● Attacker looked at the code base and found a RCE vulnerability and exploited it.
● Zomato acknowledged the fact that they could’ve easily avoided this issue if they had
implemented 2FA.
● Avoid using the same credential in all websites.
https://www.zomato.com/blog/security-update-what-really-happened-and-what

3.Securing Wiki
GitHub Org accounts may contain world-editable wiki pages :
https://www.smeegesec.com/2019/03/auditing-github-repo-wikis-for-fun-and.html
Python script to check GitHub accounts for world-editable wiki pages : https://github.com/SmeegeSec/GitHub-Wiki-Auditor

4.Securing Forked repos
A fork is a copy of a repository. Forking a repository allows you to freely experiment with
changes without affecting the original project.
● Forked repositories are public by default.
● Watch out for sensitive PII in forked repo in commits / Pull request.
Instead of forking the repo, create a private repo with the forked repo contents.

5.Security Audit log
● The audit log allows organization admins to quickly review the actions performed by
members of your organization. It includes details such as who performed the action,
what the action was, and when it was performed.
● Logs are useful for debugging and internal and external compliance.
https://help.github.com/en/articles/reviewing-the-audit-log-for-your-organization

6.Gitrob [ post commit checks ]
● Reconnaissance tool for GitHub organizations
● It helps to find potentially sensitive files pushed to public repositories on Github.
● Gitrob will clone repositories belonging to a user or organization down to a
configurable depth and iterate through the commit history and flag files that match
signatures for potentially sensitive files.
● The findings will be presented through a web interface for easy browsing and
analysis.
https://github.com/michenriksen/gitrob
Demo:

7.Git Secrets [ pre commit checks ]
Prevents you from committing secrets and credentials into git repositories
● git secrets --scan [-r|--recursive] [--cached] [--no-index] [--untracked] [<files>...]
● git secrets --scan-history
● git secrets --install [-f|--force] [<target-directory>]
● git secrets --list [--global]
● git secrets --add [-a|--allowed] [-l|--literal] [--global] <pattern>
● git secrets --add-provider [--global] <command> [arguments...]
● git secrets --register-aws [--global]
● git secrets --aws-provider [<credentials-file>]
https://github.com/awslabs/git-secrets
Demo:

8.Github security best practises
1. Never store credentials as code/config in GitHub.
2. Remove Sensitive data in your files and GitHub history
3. Tightly Control Access
4. Add a SECURITY.md file
5. Validate your GitHub Applications Carefully
6. Add Security Testing to PRs
7. Use the Right GitHub Offering for your Security Needs
8. Rotate SSH keys and Personal Access Tokens
9. Create New Projects with Security in Mind
10. Audit the Code/apps you use into GitHub
Reference: https://snyk.io/blog/ten-git-hub-security-best-practices/

Github security bug bounty hunting

More Related Content

What's hot (20)

Similar to Github security bug bounty hunting (20)

Recently uploaded (20)

Github security bug bounty hunting

Editor's Notes