Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Github security bug bounty hunting

447 views

Published on

How to security your org Github account.
n|u - The Open security community
Chennai Meet
Presenter : Vinothkumar
Date : 27/04/2019

Published in: Education
  • Be the first to comment

Github security bug bounty hunting

  1. 1. Github Security n|u - The Open security community Chennai Meet Presenter : Vinothkumar Date : 27/04/2019
  2. 2. About Me Application security engineer @ Freshworks, Inc. Blogger @ https://tutorgeeks.blogspot.com Tweet @vinothpkumar Github @ https://github.com/tutorgeeks
  3. 3. Agenda for the session 1. What is Github 2. Using Github / Github Gist search for bug bounty hunting 3. Securing Wiki 4. Securing Forked repos 5. Security Audit log 6. Post commit security check using Gitrob 7. Pre commit security check using Git Secrets 8. Github security best practises
  4. 4. 1.What is Github ● GitHub is a code hosting platform for collaboration and version control. ● GitHub lets you (and others) work together on projects. ● 28 million users and 57 million repositories making it the largest host of source code in the world. ● Parent company : Microsoft (2018–present) ● Written in Ruby
  5. 5. Git Cheat Sheet
  6. 6. 2.Using Github search for bug bounty hunting Github is a great place to look for credentials and private API keys. Here’s a list of a few items that you could use to find information about your target. ● “example.com” API_key ● “example.com” secret_key ● “example.com” aws_key ● “example.com” Password ● “example.com” FTP ● “example.com” login ● “example.com” github_token
  7. 7. PayTM “paytm.com “ “password” Bounty awarded : Rs.21200 Status : Fixed https://twitter.com/s4thi5h_infosec/status/1067004873663639552
  8. 8. Snapchat Bounty hunter Th3G3nt3lman was awarded $15,000 after discovering and reporting a sensitive auth token that was accidentally posted by a Snapchat software engineer. https://medium.com/@cosmobugbounty/bounty-of-the-week-15-000-snapchat-leak-af38f882d3ac
  9. 9. Search Github Gist [ Mostly Ignored ] GitHub Gist is used instantly share code, notes, and snippets. ● Helps to create public and secret gist. ● Secret gist is only protected by a token. Use with caution while creating secret gist since developer could paste the secret gist public along with the token. site:gist.github.com “companyname”
  10. 10. Zomato - Mandate 2FA ● Zomato’s Github org was compromised using the leaked password of 000webhost. ● Attacker used the credential to login into Zomato Github org account [ 2FA is not implemented at the time of the hack] ● Attacker looked at the code base and found a RCE vulnerability and exploited it. ● Zomato acknowledged the fact that they could’ve easily avoided this issue if they had implemented 2FA. ● Avoid using the same credential in all websites. https://www.zomato.com/blog/security-update-what-really-happened-and-what
  11. 11. 3.Securing Wiki GitHub Org accounts may contain world-editable wiki pages : https://www.smeegesec.com/2019/03/auditing-github-repo-wikis-for-fun-and.html Python script to check GitHub accounts for world-editable wiki pages : https://github.com/SmeegeSec/GitHub-Wiki-Auditor
  12. 12. 4.Securing Forked repos A fork is a copy of a repository. Forking a repository allows you to freely experiment with changes without affecting the original project. ● Forked repositories are public by default. ● Watch out for sensitive PII in forked repo in commits / Pull request. Instead of forking the repo, create a private repo with the forked repo contents.
  13. 13. 5.Security Audit log ● The audit log allows organization admins to quickly review the actions performed by members of your organization. It includes details such as who performed the action, what the action was, and when it was performed. ● Logs are useful for debugging and internal and external compliance. https://help.github.com/en/articles/reviewing-the-audit-log-for-your-organization
  14. 14. 6.Gitrob [ post commit checks ] ● Reconnaissance tool for GitHub organizations ● It helps to find potentially sensitive files pushed to public repositories on Github. ● Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. ● The findings will be presented through a web interface for easy browsing and analysis. https://github.com/michenriksen/gitrob Demo:
  15. 15. 7.Git Secrets [ pre commit checks ] Prevents you from committing secrets and credentials into git repositories ● git secrets --scan [-r|--recursive] [--cached] [--no-index] [--untracked] [<files>...] ● git secrets --scan-history ● git secrets --install [-f|--force] [<target-directory>] ● git secrets --list [--global] ● git secrets --add [-a|--allowed] [-l|--literal] [--global] <pattern> ● git secrets --add-provider [--global] <command> [arguments...] ● git secrets --register-aws [--global] ● git secrets --aws-provider [<credentials-file>] https://github.com/awslabs/git-secrets Demo:
  16. 16. 8.Github security best practises 1. Never store credentials as code/config in GitHub. 2. Remove Sensitive data in your files and GitHub history 3. Tightly Control Access 4. Add a SECURITY.md file 5. Validate your GitHub Applications Carefully 6. Add Security Testing to PRs 7. Use the Right GitHub Offering for your Security Needs 8. Rotate SSH keys and Personal Access Tokens 9. Create New Projects with Security in Mind 10. Audit the Code/apps you use into GitHub Reference: https://snyk.io/blog/ten-git-hub-security-best-practices/

×