On-platform GitHub Reconnaissance

August 31, 2017

Note: Please keep in mind, that all of this does not work if you are not signed in to GitHub.

When searching for issues related to a target I often like to quickly look up their GitHub organization on Google.

So let’s say Gratipay says nothing about being open source. A quick Google “Gratipay GitHub” should return Gratipay’s org page on GitHub.

Then from there I am going to check what repos actually belong to the org and which are forked. You can do this by selecting the Type: dropdown on the right hand side of the page.

img

Set it to Sources.

Otherwise just add the &type=source param. (https://github.com/gratipay?utf8=%E2%9C%93&q=&type=source)

Now, I am going to take a look at the different languages that the projects are written in. My favourite language is Python so I might start focusing on Python projects, but for recon I will mostly just keep note of the different languages.

On Gratipay most projects are written in Python.

noted

After that I will start using the GitHub search bar to look for specific keywords.

org:gratipay hmac

img

There are 4 main sections to look out for here.

  • Repositories is nice for dedicated projects related to the keyword. For example, if the keyword is “password manager”, I might find they are building a password manager.

  • Code is the big one. You can search for classic lines of code that cause security vulnerabilities across the whole organization.

  • Commits is not usually my favourite area to look at manually, but if I see a low number I might have a quick look.

  • Issues this is the second biggest and will help you all with your recon. This is the gold mine.

Companies share so much information about their infrastructure in issue discussions and debates. Look for domains and subdomains in those tickets.

Chris: “Oh, hey John. We forgot to add this certificate to this domain: vuln.example.com.”

noted

Classic Chris.

Sometimes I even find team members referencing actual theoretical security issues that they are unable to exploit. Try exploiting them or keep note, as the same issue might affect another endpoint.

Also trust me when I say I have seen people talking about actual vulns on GitHub issues and forgetting about them.

img

Submit domains as your search query. Issues will sometimes discuss technical stuff related to that domain.

“Oh, that thing is running NodeJS. Yeah, it’s old and broken.”

noted

Next look at org member’s projects. They might reveal more info too. I know that if you check Gratipay, you will see we all work on different projects and come from different backgrounds. This can help when understanding who plays what role in a discussion on GitHub issues.

Finally, this is a fun one and I keep on finding issues like this. Check the blame and history of a file. You will see how the code developed and what the developers were thinking as they went along.

img img img

There you go. Hopefully, this helps with your recon. 😄