hacktricks/cloud-security/github-security.md

Github Security

What is Github

(From here)At a high level, GitHub is a website and cloud-based service that helps developers store and manage their code, as well as track and control changes to their code. To understand exactly what GitHub is, you need to know two connected principles:

• Version control
• Git

External Recon

Github repositories can be configured as public, private and internal.

• Private means that only people of the organisation will be able to access them
• Internal means that only people of the enterprise (an enterprise may have several organisations) will be able to access it
• Public means that all internet is going to be able to access it.

In case you know the user, repo or organisation you want to target you can use github dorks to find sensitive information or search for sensitive information leaks on each repo.

Github Dorks

Github allows to search for something specifying as scope a user, a repo or an organisation. Therefore, with a list of strings that are going to appear close to sensitive information you can easily search for potential sensitive information in your target.

Tools (each tool contains its list of dorks):

• https://github.com/obheda12/GitDorker (Dorks list)
• https://github.com/techgaun/github-dorks (Dorks list)
• https://github.com/hisxo/gitGraber (Dorks list)

Github Leaks

Please, note that the github dorks are also meant to search for leaks using github search options. This section is dedicated to those tools that will download each repo and search for sensitive information in them (even checking certain depth of commits).

Tools (each tool contains its list of regexes):

• https://github.com/zricethezav/gitleaks
• https://github.com/trufflesecurity/truffleHog
• https://github.com/eth0izzle/shhgit
• https://github.com/michenriksen/gitrob
• https://github.com/anshumanbh/git-all-secrets
• https://github.com/kootenpv/gittyleaks
• https://github.com/awslabs/git-secrets

Internal Recon

Github Authentication

Github offers different ways to authenticate to your account and perform actions on your behalf.

• Web access: Accessing github.com you can login using your username and password (and a 2FA potentially).
• SSH Keys: You can configure your account with one or several public keys allowing the related private key to perform actions on your behalf. https://github.com/settings/keys

Personal Access Tokens

You can generate personal access token to give an application access to your account. When creating a personal access token the user needs to specify the permissions to token will have. https://github.com/settings/tokens

Oauth Applications

Oauth applications may ask you for permissions to access part of your github information or to impersonate you to perform some actions. A common example of this functionality is the login with github button you might find in some platforms.

• You can create your own Oauth applications in https://github.com/settings/developers
• You can see all the Oauth applications that has access to your account in https://github.com/settings/applications
• You can see the scopes that Oauth Apps can ask for in https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps

Some security recommendations:

• An OAuth App should always act as the authenticated GitHub user across all of GitHub (for example, when providing user notifications) and with access only to the specified scopes..
• An OAuth App can be used as an identity provider by enabling a "Login with GitHub" for the authenticated user.
• Don't build an OAuth App if you want your application to act on a single repository. With the repo OAuth scope, OAuth Apps can act on all of the authenticated user's repositories.
• Don't build an OAuth App to act as an application for your team or company. OAuth Apps authenticate as a single user, so if one person creates an OAuth App for a company to use, and then they leave the company, no one else will have access to it.
• More in here.

Github Applications

Github applications can ask for permissions to access your github information or impersonate you to perform specific actions over specific resources. In Github Apps you need to specify the repositories the app will have access to.

• To install a GitHub App, you must be an organization owner or have admin permissions in a repository.
• The GitHub App should connect to a personal account or an organization.
• You can create your own Github application in https://github.com/settings/apps
• You can see all the Github applications that has access to your account in https://github.com/settings/apps/authorizations

Some security recommendations:

• A GitHub App should take actions independent of a user (unless the app is using a user-to-server token). To keep user-to-server access tokens more secure, you can use access tokens that will expire after 8 hours, and a refresh token that can be exchanged for a new access token. For more information, see "Refreshing user-to-server access tokens."
• Make sure the GitHub App integrates with specific repositories.
• The GitHub App should connect to a personal account or an organization.
• Don't expect the GitHub App to know and do everything a user can.
• Don't use a GitHub App if you just need a "Login with GitHub" service. But a GitHub App can use a user identification flow to log users in and do other things.
• Don't build a GitHub App if you only want to act as a GitHub user and do everything that user can do.
• If you are using your app with GitHub Actions and want to modify workflow files, you must authenticate on behalf of the user with an OAuth token that includes the workflow scope. The user must have admin or write permission to the repository that contains the workflow file. For more information, see "Understanding scopes for OAuth apps."
• More in here.

\