Yo Github, could you find something for me ?

Sami drif
Sami drif
Aug 29, 2017 · 7 min read

Hello everyone , this is my first post and I’m so happy for it :) , and I think it is time to give back to the community something I learned from . Let introduce myself first , I’m Sami Drif, another guy who love computer technology so much , and became bug hunter last year . I’m more active in Hackerone . Yeah I know I talked a lot about myself

In this writeup post , I will speak about something not new , but we still report it to companies everyday , which is exposing sensitives information in Github and keep them in public .

1.How it happen ?

Leaking credentials means exposing secrets and confidentiel that provide access to different accounts or 3rd party service or even internal services of concerned company .
The most common types of leaked credentials are passwords, API keys and SSH private keys, and other stuff .These keys may be sufficient for an automated tool — be it your own or an attacker’s — to perform an action, for instance publish a new version of a package or delete code. The actual range of actions each key is allowed to do varies by key and system .Those leaked information could belong to the company itself or employers . And in this writeup I will try to give many examples of vulnerabilities I reported in the past , but I can’t specify which companies concern since most of them are private .

So , I started digging around this kind of attack after reading Chalker post , which I found it amazing . In this writeup he shared his research on leaked credentials in npm packages and describes a lot of wired points to look for , as well as some interesting stuff . and to make it more easy for you there are two kind in the process of looking for secrets , I will share both of them .

2.How to find ?

Automatic search :

This cloud happen with the help of some tools and scripts , and I think you knowGitrob , and you can learn how it work via this blog , I ask you try it . an awesome tool which automate your work and no need to do it manually , Just enter the name of company you want to hunt and it will look for leaked secret data . and bellow you can find screenshot show the result after looking for exposed file in Zomato as an example.

Don’t forget to check the results before submit “false positive” reports and get N/A for them .Anyway I will not talk to much about Gitrob since it is automatic tool :) , instead of that I will explain the methodology of manual search . since it is more effective than the automatic .

Manual search :

I want to said that I wrote this writeup specially for this section , and you will know why .

I will be more clear if I said all of my finding was by this method , yes . I love to search for things by myself , and you can call it simple dorks , as known if you want to search for any word in Github in specific orginzation or user you have to use:

org:testorg foobar

user:testuser foobar

it is simple , but when you replace foobar with other words , it will give you what you looked for in this testorg or testuser , I use a lot of words that could give me what I want , and bellow is list of most used keywords :

api,token,username,password,secret,dev,prod,jenkins,config,ssh,ftp,MYSQL_PASSWORD,admin,AWS,.. (you can be creative more than me )

  • The story of `Authorization` and 1500$:

this is report I sent to private program triaged and resolved and rewarded in 2 hours (I know,it is fast team), so 2 months ago I decided to find something in Github to report to this company , so while I ‘m pooking around employer Github profile , I tried a lot of words but I failed , but I thought why not look for Authorization ,maybe I could find something useful ? and Guess what

Dictionary<string, string> headers = new Dictionary<string, string>();
["Authorization"] = "Basic 168b37ee1ce0085a2eee88fa8f5d78a7"
["Content-Type"] = "application/json"; headers ["clean"] =
(REDACTED)
if (branch == branch.v01 &&xxxx == xxxxxxxx)
url = "https://build-api.cloud.xxxxx.com/api/v1/orgs/xxxxxx/projects/se-demo/xxxx/mac-os-v0-1_branch_5-5/builds";

I was Like really ? i was able to use this header and perform HTTP request and get some internal projects , and what make things easier is their API Doc was avaibale . and after more digging I get AWS bucket with Access Key ID and Secret Access Key leaked , Bingo . it happen becasue of this word Authorization ,then add this word to your list , maybe you will find it useful one-day .

  • SQL Injection in prod host :

Github.Thank you again for such information , do you know that sometimes you can use Github as recon tool ? yes , you can search for internal domains in Github , let ‘s take privatecompany.com as example , Let’s guess after recon you find this subdomain dev.privatecompany.com , but it was useless since it show 401 message and require username and password , why you don’t search about it in Github ? maybe some developer pasted entire stack log in github and he forget it . always try to look for those internal subdomain , you will be impressive about results and that what happen with me , I found another subdomain prodxxx-01.dev.privatecompany.com , and worked like charm and was PHP code and contain endpoints , one of them was :
prodxxx-01.dev.privatecompany.com/api/get_chart.php?product_id=
The endpoint feel like : Yo I’m vulnerable with SQL injection please exploit me :D No firewall , no protection and big thanks to Sqlmap . I reported this vulnerabilty and rewarded .

As you see simple search lead to SQL injection ,There are more similair cases I reported sometimes I remember that i found 3rd party api keys leaked a lot so focus on them.

Another thing I ask you to look for , Dotfiles never miss this file , it could be useful . That ‘s why I prefer to search manually because you don’t have limit , you can search for any thing you want and as always , be creative and sometimes creativity in simple things .I know it could took long time, but maybe your time worth money.

3-What you mustn’t report ?

It is true that this kind of attack could lead to unwanted impact by companies , but sometimes they revoked those token and API keys , or even passwords before exploiting them , but they still public . so in this case why you report this to company ? yeah you are right they are keys but they invalid so it is not big deal , or for example you found internal host with username and password but the website is down , I’m sure your report will be closed as informative or even N/A . as well as check results from automatic tools because they give to much false positive , so please before you submit report ; provide Proof of concept .

4.How to protect ?

  • Avoid git add * commands : Using wildcards can easily capture local files not truly intended to be shared , Instead of wildcards, name each file you commit, or use git add -p to review each change you add.
  • Name sensitive files in .gitignore & .npmignore :git support a local file listing exclusions from packaging and commits ,which you can use as a safety measure against accidental inclusion of sensitive files . , and you can use GitHub’s sample .gitignore files for other inspiration
  • git-secrets: git hook prevents committing in credentials : useful tool called git-secrets. The tool hooks onto git commit, and breaks the commit if it includes patterns that appear to be credentials. This is a good content-focused safety net, complementing the previously suggested filename based protection.
  • Encrypt or use environment vars when publishing from CI
  • Invalidate leaked credentials

But I always provide this advice for companies

neither tool knows your application as well as you do, so its best to edit these files yourself. and always look for sensitive token or API keys .

And here we come to the end ,it is my first write-up so excuse me for any error because I’m not native English speaker :D , and If you have any suggestion please DM via twitter .

)
Sami drif

Written by

Sami drif

Just another lost guy :)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade