On-platform GitHub Reconnaissance

Aug 31, 2017

Note: Please keep in mind, that all of this does not work if you are not signed in to GitHub.

When searching for issues related to a target I often like to quickly look up their GitHub organization on Google.

So let’s say Gratipay says nothing about being open source. A quick Google “Gratipay GitHub” should return Gratipay’s org page on GitHub.

Then from there I am going to check what repos actually belong to the org and which are forked. You can do this by selecting the Type: dropdown on the right hand side of the page.


Set it to Sources.

Otherwise just add the &type=source param. (https://github.com/gratipay?utf8=%E2%9C%93&q=&type=source)

Now, I am going to take a look at the different languages that the projects are written in. My favourite language is Python so I might start focusing on Python projects, but for recon I will mostly just keep note of the different languages.

On Gratipay most projects are written in Python.


After that I will start using the GitHub search bar to look for specific keywords.

org:gratipay hmac


There are 4 main sections to look out for here.

Companies share so much information about their infrastructure in issue discussions and debates. Look for domains and subdomains in those tickets.

Chris: “Oh, hey John. We forgot to add this certificate to this domain: vuln.example.com.”


Classic Chris.

Sometimes I even find team members referencing actual theoretical security issues that they are unable to exploit. Try exploiting them or keep note, as the same issue might affect another endpoint.

Also trust me when I say I have seen people talking about actual vulns on GitHub issues and forgetting about them.


Submit domains as your search query. Issues will sometimes discuss technical stuff related to that domain.

“Oh, that thing is running NodeJS. Yeah, it’s old and broken.”


Next look at org member’s projects. They might reveal more info too. I know that if you check Gratipay, you will see we all work on different projects and come from different backgrounds. This can help when understanding who plays what role in a discussion on GitHub issues.

Finally, this is a fun one and I keep on finding issues like this. Check the blame and history of a file. You will see how the code developed and what the developers were thinking as they went along.

img img img

There you go. Hopefully, this helps with your recon. 😄

Support my work! ☕

If you enjoyed this write-up and would like to support my work, I have a "Buy Me A Coffee" page. I am grateful for every contribution, however big or small. Thank you. :)

← Home

EmailTwitter Buy Me A Coffee ☕