GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.
You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.
$ python githubcloner.py --org organization -o /tmp/outputSnyk Broker tool contributor agreement
This Snyk Broker tool Agreement (this "Agreement") applies to any Contribution you make to any Work.
This is a binding legal agreement on you and any organization you represent. If you are signing this Agreement on behalf of your employer or other organization, you represent and warrant that you have the authority to agree to this Agreement on behalf of the organization.
"Contribution" means any original work, including any modification of or addition to an existing work, that you submit to Snyk Broker tool repo in any manner for inclusion in any Work.
Details here: https://snyk.io/vuln/npm:moment:20161019
It takes just a 40 characters long string to block the event loop for about 20 seconds on a standard laptop, while each additional space character will double that time.
Example: moment-test.js
var m = require("moment");
m.locale("be");
m().format("D MMN MMMM"); Snyk CLI tool contributor agreement
This Snyk CLI tool Agreement (this "Agreement") applies to any Contribution you make to any Work.
This is a binding legal agreement on you and any organization you represent. If you are signing this Agreement on behalf of your employer or other organization, you represent and warrant that you have the authority to agree to this Agreement on behalf of the organization.
"Contribution" means any original work, including any modification of or addition to an existing work, that you submit to Snyk CLI tool repo in any manner for inclusion in any Work.
I hereby claim:
To claim this, I am signing this object:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters #!/usr/bin/env node // run with: node sequencehunt_server.js // info page: http://localhost:8080/info // correct values: http://localhost:8080/check?val0=4&val1=12&val2=77&val3=98&val4=35 var http = require('http'); var url = require('url'); var TimingAttackProtectionSeconds = 3; 32C3 CTF 2015 : config.binCategory: Forensics Points: 150 Solves: 27 Description:
32C3 CTF 2015 : Sequence HuntWe have obtained what we believe is a configuration backup of an embedded device. However, it seems to be encrypted. Maybe you can help us with decryption?
Category: Web Points: 200 Solves: 19 Description:
Snyk vulnerabilities database contributor agreementMay we interest you in a little programming exercise?
This Snyk vulnerabilities database Agreement (this "Agreement") applies to any Contribution you make to any Work.
This is a binding legal agreement on you and any organization you represent. If you are signing this Agreement on behalf of your employer or other organization, you represent and warrant that you have the authority to agree to this Agreement on behalf of the organization.
"Contribution" means any original work, including any modification of or addition to an existing work, that you submit to Snyk vulnerability databse in any manner for inclusion in any Work.
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4