72 lines
3.6 KiB
Markdown
72 lines
3.6 KiB
Markdown
# Github Security
|
|
|
|
## What is Github
|
|
|
|
(From [here](https://kinsta.com/knowledgebase/what-is-github/)) At a high level, **GitHub is a website and cloud-based service that helps developers store and manage their code, as well as track and control changes to their code**.
|
|
|
|
### Basic Information
|
|
|
|
{% content-ref url="basic-github-information.md" %}
|
|
[basic-github-information.md](basic-github-information.md)
|
|
{% endcontent-ref %}
|
|
|
|
## External Recon
|
|
|
|
Github repositories can be configured as public, private and internal. 
|
|
|
|
* **Private** means that **only** people of the **organisation** will be able to access them
|
|
* **Internal** means that **only** people of the **enterprise** (an enterprise may have several organisations) will be able to access it
|
|
* **Public** means that **all internet** is going to be able to access it.
|
|
|
|
In case you know the **user, repo or organisation you want to target** you can use **github dorks** to find sensitive information or search for **sensitive information leaks** **on each repo**.
|
|
|
|
### Github Dorks
|
|
|
|
Github allows to **search for something specifying as scope a user, a repo or an organisation**. Therefore, with a list of strings that are going to appear close to sensitive information you can easily **search for potential sensitive information in your target**.
|
|
|
|
Tools (each tool contains its list of dorks):
|
|
|
|
* [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Dorks list](https://github.com/obheda12/GitDorker/tree/master/Dorks))
|
|
* [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Dorks list](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
|
|
* [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Dorks list](https://github.com/hisxo/gitGraber/tree/master/wordlists))
|
|
|
|
### Github Leaks
|
|
|
|
Please, note that the github dorks are also meant to search for leaks using github search options. This section is dedicated to those tools that will **download each repo and search for sensitive information in them** (even checking certain depth of commits).
|
|
|
|
Tools (each tool contains its list of regexes):
|
|
|
|
* [https://github.com/zricethezav/gitleaks](https://github.com/zricethezav/gitleaks)
|
|
* [https://github.com/trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog)
|
|
* [https://github.com/eth0izzle/shhgit](https://github.com/eth0izzle/shhgit)
|
|
* [https://github.com/michenriksen/gitrob](https://github.com/michenriksen/gitrob)
|
|
* [https://github.com/anshumanbh/git-all-secrets](https://github.com/anshumanbh/git-all-secrets)
|
|
* [https://github.com/kootenpv/gittyleaks](https://github.com/kootenpv/gittyleaks)
|
|
* [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets)
|
|
|
|
## Internal Recon
|
|
|
|
### With User Credentials
|
|
|
|
If you somehow already have credentials for a user inside an organization you can **just login** and check which **enterprise and organization roles you have**, if you are a raw member, check which **permissions raw members have**, in which **groups** you are, which **permissions you have** over which **repos,** and **how are the repos protected.**
|
|
|
|
Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**.
|
|
|
|
{% hint style="info" %}
|
|
Note that if you **manage to steal the `user_session` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
|
|
{% endhint %}
|
|
|
|
### With User SSH Key
|
|
|
|
#### GPG Keys
|
|
|
|
### With User Token
|
|
|
|
### With Oauth Application
|
|
|
|
### With Github Application
|
|
|
|
### With Malicious Github Action
|
|
|
|
### Bypassing Branch Protection
|