SlideShare uma empresa Scribd logo

Github security bug bounty hunting

Transferir como PPTX, PDF
vinoth kumar
vinoth kumar

How to security your org Github account. n|u - The Open security community Chennai Meet Presenter : Vinothkumar Date : 27/04/2019

Educação
1 de 18
Github Security n|u - The Open security community Chennai Meet Presenter : Vinothkumar Date : 27/04/2019
About Me Application security engineer @ Freshworks, Inc. Blogger @ https://tutorgeeks.blogspot.com Tweet @vinothpkumar Github @ https://github.com/tutorgeeks
Agenda for the session 1. What is Github 2. Using Github / Github Gist search for bug bounty hunting 3. Securing Wiki 4. Securing Forked repos 5. Security Audit log 6. Post commit security check using Gitrob 7. Pre commit security check using Git Secrets 8. Github security best practises
1.What is Github ● GitHub is a code hosting platform for collaboration and version control. ● GitHub lets you (and others) work together on projects. ● 28 million users and 57 million repositories making it the largest host of source code in the world. ● Parent company : Microsoft (2018–present) ● Written in Ruby
Git Cheat Sheet
2.Using Github search for bug bounty hunting Github is a great place to look for credentials and private API keys. Here’s a list of a few items that you could use to find information about your target. ● “example.com” API_key ● “example.com” secret_key ● “example.com” aws_key ● “example.com” Password ● “example.com” FTP ● “example.com” login ● “example.com” github_token
PayTM “paytm.com “ “password” Bounty awarded : Rs.21200 Status : Fixed https://twitter.com/s4thi5h_infosec/status/1067004873663639552
Snapchat Bounty hunter Th3G3nt3lman was awarded $15,000 after discovering and reporting a sensitive auth token that was accidentally posted by a Snapchat software engineer. https://medium.com/@cosmobugbounty/bounty-of-the-week-15-000-snapchat-leak-af38f882d3ac
Search Github Gist [ Mostly Ignored ] GitHub Gist is used instantly share code, notes, and snippets. ● Helps to create public and secret gist. ● Secret gist is only protected by a token. Use with caution while creating secret gist since developer could paste the secret gist public along with the token. site:gist.github.com “companyname”
Zomato - Mandate 2FA ● Zomato’s Github org was compromised using the leaked password of 000webhost. ● Attacker used the credential to login into Zomato Github org account [ 2FA is not implemented at the time of the hack] ● Attacker looked at the code base and found a RCE vulnerability and exploited it. ● Zomato acknowledged the fact that they could’ve easily avoided this issue if they had implemented 2FA. ● Avoid using the same credential in all websites. https://www.zomato.com/blog/security-update-what-really-happened-and-what
3.Securing Wiki GitHub Org accounts may contain world-editable wiki pages : https://www.smeegesec.com/2019/03/auditing-github-repo-wikis-for-fun-and.html Python script to check GitHub accounts for world-editable wiki pages : https://github.com/SmeegeSec/GitHub-Wiki-Auditor
4.Securing Forked repos A fork is a copy of a repository. Forking a repository allows you to freely experiment with changes without affecting the original project. ● Forked repositories are public by default. ● Watch out for sensitive PII in forked repo in commits / Pull request. Instead of forking the repo, create a private repo with the forked repo contents.
5.Security Audit log ● The audit log allows organization admins to quickly review the actions performed by members of your organization. It includes details such as who performed the action, what the action was, and when it was performed. ● Logs are useful for debugging and internal and external compliance. https://help.github.com/en/articles/reviewing-the-audit-log-for-your-organization
6.Gitrob [ post commit checks ] ● Reconnaissance tool for GitHub organizations ● It helps to find potentially sensitive files pushed to public repositories on Github. ● Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. ● The findings will be presented through a web interface for easy browsing and analysis. https://github.com/michenriksen/gitrob Demo:
7.Git Secrets [ pre commit checks ] Prevents you from committing secrets and credentials into git repositories ● git secrets --scan [-r|--recursive] [--cached] [--no-index] [--untracked] [<files>...] ● git secrets --scan-history ● git secrets --install [-f|--force] [<target-directory>] ● git secrets --list [--global] ● git secrets --add [-a|--allowed] [-l|--literal] [--global] <pattern> ● git secrets --add-provider [--global] <command> [arguments...] ● git secrets --register-aws [--global] ● git secrets --aws-provider [<credentials-file>] https://github.com/awslabs/git-secrets Demo:
8.Github security best practises 1. Never store credentials as code/config in GitHub. 2. Remove Sensitive data in your files and GitHub history 3. Tightly Control Access 4. Add a SECURITY.md file 5. Validate your GitHub Applications Carefully 6. Add Security Testing to PRs 7. Use the Right GitHub Offering for your Security Needs 8. Rotate SSH keys and Personal Access Tokens 9. Create New Projects with Security in Mind 10. Audit the Code/apps you use into GitHub Reference: https://snyk.io/blog/ten-git-hub-security-best-practices/
Github security bug bounty hunting

Recomendados

G suite misconfigurations- Null meet, Chennai
G suite misconfigurations- Null meet, ChennaiG suite misconfigurations- Null meet, Chennai
G suite misconfigurations- Null meet, Chennaivinoth kumar
 
Develop Hip APIs and Apps with Spring Boot and Angular - Connect.Tech 2017
Develop Hip APIs and Apps with Spring Boot and Angular - Connect.Tech 2017 Develop Hip APIs and Apps with Spring Boot and Angular - Connect.Tech 2017
Develop Hip APIs and Apps with Spring Boot and Angular - Connect.Tech 2017Matt Raible
 
Yet another talk on bug bounty
Yet another talk on bug bountyYet another talk on bug bounty
Yet another talk on bug bountyvinoth kumar
 
Developing PWAs and Mobile Apps with Ionic, Angular, and JHipster - Devoxx Mo...
Developing PWAs and Mobile Apps with Ionic, Angular, and JHipster - Devoxx Mo...Developing PWAs and Mobile Apps with Ionic, Angular, and JHipster - Devoxx Mo...
Developing PWAs and Mobile Apps with Ionic, Angular, and JHipster - Devoxx Mo...Matt Raible
 
Front End Development for Back End Developers - Denver Startup Week 2017
Front End Development for Back End Developers - Denver Startup Week 2017Front End Development for Back End Developers - Denver Startup Week 2017
Front End Development for Back End Developers - Denver Startup Week 2017Matt Raible
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Front End Development for Back End Java Developers - Jfokus 2020
Front End Development for Back End Java Developers - Jfokus 2020Front End Development for Back End Java Developers - Jfokus 2020
Front End Development for Back End Java Developers - Jfokus 2020Matt Raible
 
Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018SecuRing
 

Recomendados

G suite misconfigurations- Null meet, Chennai
G suite misconfigurations- Null meet, ChennaiG suite misconfigurations- Null meet, Chennai
G suite misconfigurations- Null meet, Chennaivinoth kumar
 
Develop Hip APIs and Apps with Spring Boot and Angular - Connect.Tech 2017
Develop Hip APIs and Apps with Spring Boot and Angular - Connect.Tech 2017 Develop Hip APIs and Apps with Spring Boot and Angular - Connect.Tech 2017
Develop Hip APIs and Apps with Spring Boot and Angular - Connect.Tech 2017Matt Raible
 
Yet another talk on bug bounty
Yet another talk on bug bountyYet another talk on bug bounty
Yet another talk on bug bountyvinoth kumar
 
Developing PWAs and Mobile Apps with Ionic, Angular, and JHipster - Devoxx Mo...
Developing PWAs and Mobile Apps with Ionic, Angular, and JHipster - Devoxx Mo...Developing PWAs and Mobile Apps with Ionic, Angular, and JHipster - Devoxx Mo...
Developing PWAs and Mobile Apps with Ionic, Angular, and JHipster - Devoxx Mo...Matt Raible
 
Front End Development for Back End Developers - Denver Startup Week 2017
Front End Development for Back End Developers - Denver Startup Week 2017Front End Development for Back End Developers - Denver Startup Week 2017
Front End Development for Back End Developers - Denver Startup Week 2017Matt Raible
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Front End Development for Back End Java Developers - Jfokus 2020
Front End Development for Back End Java Developers - Jfokus 2020Front End Development for Back End Java Developers - Jfokus 2020
Front End Development for Back End Java Developers - Jfokus 2020Matt Raible
 
Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018SecuRing
 
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021Matt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...Matt Raible
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
 
Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...
Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...
Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...Matt Raible
 
Approaching the unknown - Windows Phone application security assessment guide
Approaching the unknown - Windows Phone application security assessment guideApproaching the unknown - Windows Phone application security assessment guide
Approaching the unknown - Windows Phone application security assessment guideSecuRing
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Firebase Auth Tutorial
Firebase Auth TutorialFirebase Auth Tutorial
Firebase Auth TutorialBukhori Aqid
 
SgCodeJam24 Workshop
SgCodeJam24 WorkshopSgCodeJam24 Workshop
SgCodeJam24 Workshopremko caprio
 
Jesse Siegel Capstone Project
Jesse Siegel Capstone ProjectJesse Siegel Capstone Project
Jesse Siegel Capstone ProjectJesse Siegel
 
Intro to Web Development Using Python and Django
Intro to Web Development Using Python and DjangoIntro to Web Development Using Python and Django
Intro to Web Development Using Python and DjangoChariza Pladin
 
From Selenium to Appium: How Hard Can It Be? by Sergio Neves Barros
From Selenium to Appium: How Hard Can It Be? by Sergio Neves BarrosFrom Selenium to Appium: How Hard Can It Be? by Sergio Neves Barros
From Selenium to Appium: How Hard Can It Be? by Sergio Neves BarrosSauce Labs
 
Selenium to Appium - how hard can it be (SauceCon).
Selenium to Appium - how hard can it be (SauceCon).Selenium to Appium - how hard can it be (SauceCon).
Selenium to Appium - how hard can it be (SauceCon).snevesbarros
 
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020Matt Raible
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatCase Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatVMware Hyperic
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec Californialeifdreizler
 
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...Riddhi Shree
 
React Native
React NativeReact Native
React NativeFatih Şimşek
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Matt Raible
 
Getting Started with Test Automation: Introduction to Cucumber with Lapis Lazuli
Getting Started with Test Automation: Introduction to Cucumber with Lapis LazuliGetting Started with Test Automation: Introduction to Cucumber with Lapis Lazuli
Getting Started with Test Automation: Introduction to Cucumber with Lapis LazuliRebecca Eloise Hogg
 
2022 APIsecure_Securing API Tokens on Github
2022 APIsecure_Securing API Tokens on Github2022 APIsecure_Securing API Tokens on Github
2022 APIsecure_Securing API Tokens on GithubAPIsecure_ Official
 
Difference between Github vs Gitlab vs Bitbucket
Difference between Github vs Gitlab vs BitbucketDifference between Github vs Gitlab vs Bitbucket
Difference between Github vs Gitlab vs Bitbucketjeetendra mandal
 

Mais conteúdo relacionado

Mais procurados

Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021Matt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...Matt Raible
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
 
Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...
Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...
Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...Matt Raible
 
Approaching the unknown - Windows Phone application security assessment guide
Approaching the unknown - Windows Phone application security assessment guideApproaching the unknown - Windows Phone application security assessment guide
Approaching the unknown - Windows Phone application security assessment guideSecuRing
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Firebase Auth Tutorial
Firebase Auth TutorialFirebase Auth Tutorial
Firebase Auth TutorialBukhori Aqid
 
SgCodeJam24 Workshop
SgCodeJam24 WorkshopSgCodeJam24 Workshop
SgCodeJam24 Workshopremko caprio
 
Jesse Siegel Capstone Project
Jesse Siegel Capstone ProjectJesse Siegel Capstone Project
Jesse Siegel Capstone ProjectJesse Siegel
 
Intro to Web Development Using Python and Django
Intro to Web Development Using Python and DjangoIntro to Web Development Using Python and Django
Intro to Web Development Using Python and DjangoChariza Pladin
 
From Selenium to Appium: How Hard Can It Be? by Sergio Neves Barros
From Selenium to Appium: How Hard Can It Be? by Sergio Neves BarrosFrom Selenium to Appium: How Hard Can It Be? by Sergio Neves Barros
From Selenium to Appium: How Hard Can It Be? by Sergio Neves BarrosSauce Labs
 
Selenium to Appium - how hard can it be (SauceCon).
Selenium to Appium - how hard can it be (SauceCon).Selenium to Appium - how hard can it be (SauceCon).
Selenium to Appium - how hard can it be (SauceCon).snevesbarros
 
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020Matt Raible
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatCase Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatVMware Hyperic
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec Californialeifdreizler
 
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...Riddhi Shree
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Matt Raible
 
Getting Started with Test Automation: Introduction to Cucumber with Lapis Lazuli
Getting Started with Test Automation: Introduction to Cucumber with Lapis LazuliGetting Started with Test Automation: Introduction to Cucumber with Lapis Lazuli
Getting Started with Test Automation: Introduction to Cucumber with Lapis LazuliRebecca Eloise Hogg
 

Mais procurados (20)

Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
 
Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...
Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...
Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...
 
Approaching the unknown - Windows Phone application security assessment guide
Approaching the unknown - Windows Phone application security assessment guideApproaching the unknown - Windows Phone application security assessment guide
Approaching the unknown - Windows Phone application security assessment guide
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Firebase Auth Tutorial
Firebase Auth TutorialFirebase Auth Tutorial
Firebase Auth Tutorial
 
SgCodeJam24 Workshop
SgCodeJam24 WorkshopSgCodeJam24 Workshop
SgCodeJam24 Workshop
 
Jesse Siegel Capstone Project
Jesse Siegel Capstone ProjectJesse Siegel Capstone Project
Jesse Siegel Capstone Project
 
Intro to Web Development Using Python and Django
Intro to Web Development Using Python and DjangoIntro to Web Development Using Python and Django
Intro to Web Development Using Python and Django
 
From Selenium to Appium: How Hard Can It Be? by Sergio Neves Barros
From Selenium to Appium: How Hard Can It Be? by Sergio Neves BarrosFrom Selenium to Appium: How Hard Can It Be? by Sergio Neves Barros
From Selenium to Appium: How Hard Can It Be? by Sergio Neves Barros
 
Selenium to Appium - how hard can it be (SauceCon).
Selenium to Appium - how hard can it be (SauceCon).Selenium to Appium - how hard can it be (SauceCon).
Selenium to Appium - how hard can it be (SauceCon).
 
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatCase Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec California
 
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delh...
 
React Native
React NativeReact Native
React Native
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
 
Getting Started with Test Automation: Introduction to Cucumber with Lapis Lazuli
Getting Started with Test Automation: Introduction to Cucumber with Lapis LazuliGetting Started with Test Automation: Introduction to Cucumber with Lapis Lazuli
Getting Started with Test Automation: Introduction to Cucumber with Lapis Lazuli
 

Semelhante a Github security bug bounty hunting

2022 APIsecure_Securing API Tokens on Github
2022 APIsecure_Securing API Tokens on Github2022 APIsecure_Securing API Tokens on Github
2022 APIsecure_Securing API Tokens on GithubAPIsecure_ Official
 
Difference between Github vs Gitlab vs Bitbucket
Difference between Github vs Gitlab vs BitbucketDifference between Github vs Gitlab vs Bitbucket
Difference between Github vs Gitlab vs Bitbucketjeetendra mandal
 
Getting Started with GitHub Security.pptx
Getting Started with GitHub Security.pptxGetting Started with GitHub Security.pptx
Getting Started with GitHub Security.pptxBarakBrudo1
 
Git and Github.pptx
Git and Github.pptxGit and Github.pptx
Git and Github.pptxaymanessam16
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
Introduction to Github Actions
Introduction to Github ActionsIntroduction to Github Actions
Introduction to Github ActionsKnoldus Inc.
 
Introduction to Github Actions
Introduction to Github ActionsIntroduction to Github Actions
Introduction to Github ActionsKnoldus Inc.
 
Introduction to git and Github
Introduction to git and GithubIntroduction to git and Github
Introduction to git and GithubWycliff1
 
IBM Agile Engineering Summit 18: How to Integrate IBM Rational® Team Concert ...
IBM Agile Engineering Summit 18: How to Integrate IBM Rational® Team Concert ...IBM Agile Engineering Summit 18: How to Integrate IBM Rational® Team Concert ...
IBM Agile Engineering Summit 18: How to Integrate IBM Rational® Team Concert ...Bartosz Chrabski
 
Gerrit Code Review with GitHub plugin
Gerrit Code Review with GitHub pluginGerrit Code Review with GitHub plugin
Gerrit Code Review with GitHub pluginLuca Milanesio
 
Git/Gerrit with TeamForge
Git/Gerrit with TeamForgeGit/Gerrit with TeamForge
Git/Gerrit with TeamForgeCollabNet
 
Git Tutorial A Comprehensive Guide for Beginners.pdf
Git Tutorial A Comprehensive Guide for Beginners.pdfGit Tutorial A Comprehensive Guide for Beginners.pdf
Git Tutorial A Comprehensive Guide for Beginners.pdfuzair
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 

Semelhante a Github security bug bounty hunting (20)

2022 APIsecure_Securing API Tokens on Github
2022 APIsecure_Securing API Tokens on Github2022 APIsecure_Securing API Tokens on Github
2022 APIsecure_Securing API Tokens on Github
 
Difference between Github vs Gitlab vs Bitbucket
Difference between Github vs Gitlab vs BitbucketDifference between Github vs Gitlab vs Bitbucket
Difference between Github vs Gitlab vs Bitbucket
 
Getting Started with GitHub Security.pptx
Getting Started with GitHub Security.pptxGetting Started with GitHub Security.pptx
Getting Started with GitHub Security.pptx
 
Git and Github.pptx
Git and Github.pptxGit and Github.pptx
Git and Github.pptx
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
Introduction to Github Actions
Introduction to Github ActionsIntroduction to Github Actions
Introduction to Github Actions
 
Introduction to Github Actions
Introduction to Github ActionsIntroduction to Github Actions
Introduction to Github Actions
 
Online Computer Network Security Assignment Help
Online Computer Network Security Assignment HelpOnline Computer Network Security Assignment Help
Online Computer Network Security Assignment Help
 
Git Series - Part 1
Git Series - Part 1 Git Series - Part 1
Git Series - Part 1
 
Introduction to git and Github
Introduction to git and GithubIntroduction to git and Github
Introduction to git and Github
 
BitBucket presentation
BitBucket presentationBitBucket presentation
BitBucket presentation
 
IBM Agile Engineering Summit 18: How to Integrate IBM Rational® Team Concert ...
IBM Agile Engineering Summit 18: How to Integrate IBM Rational® Team Concert ...IBM Agile Engineering Summit 18: How to Integrate IBM Rational® Team Concert ...
IBM Agile Engineering Summit 18: How to Integrate IBM Rational® Team Concert ...
 
Git and GitHub Info Session
Git and GitHub Info SessionGit and GitHub Info Session
Git and GitHub Info Session
 
Git and Github Training in Bangalore From myTectra
Git and Github Training in Bangalore From myTectraGit and Github Training in Bangalore From myTectra
Git and Github Training in Bangalore From myTectra
 
Git step by step
Git step by stepGit step by step
Git step by step
 
Gerrit Code Review with GitHub plugin
Gerrit Code Review with GitHub pluginGerrit Code Review with GitHub plugin
Gerrit Code Review with GitHub plugin
 
Git/Gerrit with TeamForge
Git/Gerrit with TeamForgeGit/Gerrit with TeamForge
Git/Gerrit with TeamForge
 
Git and git hub basics
Git and git hub basicsGit and git hub basics
Git and git hub basics
 
Git Tutorial A Comprehensive Guide for Beginners.pdf
Git Tutorial A Comprehensive Guide for Beginners.pdfGit Tutorial A Comprehensive Guide for Beginners.pdf
Git Tutorial A Comprehensive Guide for Beginners.pdf
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 

Último

SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Pooja Nehwal
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 

Último (20)

SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 

Github security bug bounty hunting

  • 1. Github Security n|u - The Open security community Chennai Meet Presenter : Vinothkumar Date : 27/04/2019
  • 2. About Me Application security engineer @ Freshworks, Inc. Blogger @ https://tutorgeeks.blogspot.com Tweet @vinothpkumar Github @ https://github.com/tutorgeeks
  • 3. Agenda for the session 1. What is Github 2. Using Github / Github Gist search for bug bounty hunting 3. Securing Wiki 4. Securing Forked repos 5. Security Audit log 6. Post commit security check using Gitrob 7. Pre commit security check using Git Secrets 8. Github security best practises
  • 4. 1.What is Github ● GitHub is a code hosting platform for collaboration and version control. ● GitHub lets you (and others) work together on projects. ● 28 million users and 57 million repositories making it the largest host of source code in the world. ● Parent company : Microsoft (2018–present) ● Written in Ruby
  • 6. 2.Using Github search for bug bounty hunting Github is a great place to look for credentials and private API keys. Here’s a list of a few items that you could use to find information about your target. ● “example.com” API_key ● “example.com” secret_key ● “example.com” aws_key ● “example.com” Password ● “example.com” FTP ● “example.com” login ● “example.com” github_token
  • 7. PayTM “paytm.com “ “password” Bounty awarded : Rs.21200 Status : Fixed https://twitter.com/s4thi5h_infosec/status/1067004873663639552
  • 8. Snapchat Bounty hunter Th3G3nt3lman was awarded $15,000 after discovering and reporting a sensitive auth token that was accidentally posted by a Snapchat software engineer. https://medium.com/@cosmobugbounty/bounty-of-the-week-15-000-snapchat-leak-af38f882d3ac
  • 9.
  • 10. Search Github Gist [ Mostly Ignored ] GitHub Gist is used instantly share code, notes, and snippets. ● Helps to create public and secret gist. ● Secret gist is only protected by a token. Use with caution while creating secret gist since developer could paste the secret gist public along with the token. site:gist.github.com “companyname”
  • 11. Zomato - Mandate 2FA ● Zomato’s Github org was compromised using the leaked password of 000webhost. ● Attacker used the credential to login into Zomato Github org account [ 2FA is not implemented at the time of the hack] ● Attacker looked at the code base and found a RCE vulnerability and exploited it. ● Zomato acknowledged the fact that they could’ve easily avoided this issue if they had implemented 2FA. ● Avoid using the same credential in all websites. https://www.zomato.com/blog/security-update-what-really-happened-and-what
  • 12. 3.Securing Wiki GitHub Org accounts may contain world-editable wiki pages : https://www.smeegesec.com/2019/03/auditing-github-repo-wikis-for-fun-and.html Python script to check GitHub accounts for world-editable wiki pages : https://github.com/SmeegeSec/GitHub-Wiki-Auditor
  • 13. 4.Securing Forked repos A fork is a copy of a repository. Forking a repository allows you to freely experiment with changes without affecting the original project. ● Forked repositories are public by default. ● Watch out for sensitive PII in forked repo in commits / Pull request. Instead of forking the repo, create a private repo with the forked repo contents.
  • 14. 5.Security Audit log ● The audit log allows organization admins to quickly review the actions performed by members of your organization. It includes details such as who performed the action, what the action was, and when it was performed. ● Logs are useful for debugging and internal and external compliance. https://help.github.com/en/articles/reviewing-the-audit-log-for-your-organization
  • 15. 6.Gitrob [ post commit checks ] ● Reconnaissance tool for GitHub organizations ● It helps to find potentially sensitive files pushed to public repositories on Github. ● Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. ● The findings will be presented through a web interface for easy browsing and analysis. https://github.com/michenriksen/gitrob Demo:
  • 16. 7.Git Secrets [ pre commit checks ] Prevents you from committing secrets and credentials into git repositories ● git secrets --scan [-r|--recursive] [--cached] [--no-index] [--untracked] [<files>...] ● git secrets --scan-history ● git secrets --install [-f|--force] [<target-directory>] ● git secrets --list [--global] ● git secrets --add [-a|--allowed] [-l|--literal] [--global] <pattern> ● git secrets --add-provider [--global] <command> [arguments...] ● git secrets --register-aws [--global] ● git secrets --aws-provider [<credentials-file>] https://github.com/awslabs/git-secrets Demo:
  • 17. 8.Github security best practises 1. Never store credentials as code/config in GitHub. 2. Remove Sensitive data in your files and GitHub history 3. Tightly Control Access 4. Add a SECURITY.md file 5. Validate your GitHub Applications Carefully 6. Add Security Testing to PRs 7. Use the Right GitHub Offering for your Security Needs 8. Rotate SSH keys and Personal Access Tokens 9. Create New Projects with Security in Mind 10. Audit the Code/apps you use into GitHub Reference: https://snyk.io/blog/ten-git-hub-security-best-practices/

Notas do Editor

  1. Zomato