Scribd
Upload
89 views15 pages

Github With Gcloud and Api Endpoint

The document discusses secrets exposed on GitHub repositories including API keys, access tokens, and private keys. It provides examples of regex patterns to detect common secret types and outlines a methodology for scanning GitHub to identify secrets.

Uploaded by

Gino Valdes
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
89 views15 pages

Github With Gcloud and Api Endpoint

The document discusses secrets exposed on GitHub repositories including API keys, access tokens, and private keys. It provides examples of regex patterns to detect common secret types and outlines a methodology for scanning GitHub to identify secrets.

Uploaded by

Gino Valdes
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 15

HADESS

Github in the wild

Foreward
ftentimes sensitive secrets stored in a target’s GitHub environment are overlooked and thus
not reported in the tool output due to the limitations of automated scanning (regex, entropy
searches, etc.).

This report was made by the Hadess and data comes from various sources such as: Dark
Web , Deep Web Forums, Sellers and Websites.

HADESS 2
Github in the wild

EXECUTIVE SUMMARY
According to the State of Secrets Sprawl on GitHub report, 85% of the leaks occur on
developers' personal repositories and only the remaining 15% within repositories owned by
organizations.

lEAK
lEAK
pATTERN
pATTERN

asI

HADESS 2
Github in the wild

Table of Contents
Github is Important 2
Some example of offensive used github 4
Methodology 7
Scan Your Org 9

HADESS 1
Github in the wild

Github is Important
Oftentimes sensitive secrets stored in a target’s GitHub environment are overlooked and
thus not reported in the tool output due to the limitations of automated scanning (regex,
entropy searches, etc.). On the flip slide, too much information can be outputted by
automated tools, making it difficult to discern true secrets from a sea of false positives.
According to the State of Secrets Sprawl on GitHub report, 85% of the leaks occur on
developers' personal repositories and only the remaining 15% within repositories owned by
organizations.

100

75

50

25

0
Persoanl Repositories Organization Repository

HADESS 2
Github in the wild

Most common types of secrets exposed on GitHub

Google Keys

Development Tools

Data Storage

Other

Messaging Systems

Cloud Provider

Private Keys

Social Network

Version Control Platform

Collabration Tools

0% 10% 20% 30%

Most common types of files found exposed on GitHub

Python

All Others

Javascript

Environment

JSON

Properties

PEM

PHP

XML

YAML

Typescript

0% 10% 20% 30%

HADESS 3
Github in the wild

Some example of offensive used


github
Social Media
Platform/API: Twitter
Key Type: Access Token
Regex: [1-9][0-9]+-[0-9a-zA-Z]{40}

Platform/API: Facebook
Key Type: Access Token
Regex: EAACEdEose0cBA[0-9A-Za-z]+

Platform/API: Google YouTube


Key Type: API Key
Regex: AIza[0-9A-Za-z\-_]{35}

Platform/API: Google YouTube


Key Type: OAuth ID
Regex: [0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com

Platform/API: Picatic
Key Type: OAuth ID
Regex: sk_live_[0-9a-z]{32}

HADESS 4
Github in the wild

Communications

Platform/API: MailChimp
Key Type: API Key
Regex: [0-9a-f]{32}-us[0-9]{1,2}

Platform/API: Amazon AWS


Key Type: Access Key ID
Regex: AKIA[0-9A-Z]{16}

Private Key

Key Type: RSA Private Key


Regex: -----BEGIN RSA PRIVATE KEY----- [\r\n]+(?:\w+:.+)*[\s]* (?:[0-9a-zA-Z+\/=]{64,76}
[\r\n]+)+ [0-9a-zA-Z+\/=]+[\r\n]+ -----END RSA PRIVATE KEY----

Key Type: EC Private Key


Regex: -----BEGIN EC PRIVATE KEY----- [\r\n]+(?:\w+:.+)*[\s]* (?:[0-9a-zA-Z+\/=]{64,76}[\r\n]+)+
[0-9a-zA-Z+\/=]+[\r\n]+ -----END EC PRIVATE KEY-----

Key Type: PGP Private Key


Regex: -----BEGIN PGP PRIVATE KEY BLOCK----- [\r\n]+(?:\w+:.+)*[\s]* (?:[0-9a-zA-Z+\/=]{64,76}
[\r\n]+)+ [0-9a-zA-Z+\/=]+[\r\n]+= [0-9a-zA-Z+\/=]{4}[\r\n]+ -----END PGP PRIVATE KEY BLOCK-
----

Key Type: General Private Key


Regex: -----BEGIN PRIVATE KEY----- [\r\n]+(?:\w+:.+)*[\s]* (?:[0-9a-zA-Z+\/=]{64,76}[\r\n]+)+ [0-
9a-zA-Z+\/=]+[\r\n]+ -----END PRIVATE KEY-----

Key Type: Private API Key


Regex:
/^[5KL][1-9A-HJ-NP-Za-km-z]{50,51}$/
5[HJK][1-9A-HJ-NP-Za-km-z]\{49\}\b'
[KL][1-9A-HJ-NP-Za-km-z]\{51\}\b

HADESS 5
Github in the wild

Finance
Platform/API: Stripe
Key Type: Standard API Key
Regex: sk_live_[0-9a-zA-Z]{24}

Platform/API: Stripe
Key Type: Restricted API Key
Regex: rk_live_[0-9a-zA-Z]{24}

Platform/API: Square
Key Type: Access Token
Regex: sq0atp-[0-9A-Za-z\-_]{22}

Platform/API: Square
Key Type: OAuth Secret
Regex: sq0csp-[0-9A-Za-z\-_]{43}

Platform/API: PayPal Braintree


Key Type:Access Token
Regex: access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}

Platform/API: Amazon MWS


Key Type: Auth Token
Regex: amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}

Communications
Platform/API: Twilio
Key Type: API Key
Regex: SK[0-9a-fA-F]{32}

Platform/API: MailGun
Key Type: API Key
Regex: key-[0-9a-zA-Z]{32}

HADESS 6
Github in the wild

Methodology

Our secret collection methodology involves various phases to identify secrets with high
confidence

Gcloud
https://cloud.google.com/blog/topics/public-datasets/github-on-bigquery-analyze-all-the-
open-source-code
Gcloud search query:
SELECT * FROM `bigquery-public-data.github_repos.files`
WHERE REGEXP_CONTAINS(path,r'[Regex]')
LIMIT 100

Github API
As GitHub does not allow regular expression searches, these targeted queries identify
candidate files which are then scanned offline for secrets

curl --location --request GET 'https://api.github.com/search/code?q=[word]' \


--header 'Authorization: Token

HADESS 7
Github in the wild

No. Search Query

1 access_token

2 access_secret

3 api_key

4 client_secret

5 consumer_secret

6 customer_secret

7 user_secret

8 secret_key

9 -----BEGIN RSA PRIVATE KEY-----

10 -----BEGIN EC PRIVATE KEY-----

11 -----BEGIN PRIVATE KEY-----

12 -----BEGIN PGP PRIVATE KEY BLOCK-----

13 AKIA

14 EAA, EAACEd, EAACEdEose0cBA

15 AIza

HADESS 8
Github in the wild

Scan Your Org


lEAK
lEAK
pATTERN
pATTERN

asI

GSIL

Monitor Github sensitive information leaks in near real time and send alert notifications.
https://github.com/FeeiCN/GSIL

Trufflehog
Find credentials all over the place
https://github.com/trufflesecurity/trufflehog

Git-Hound
Reconnaissance tool for GitHub code search. Finds exposed API keys using pattern
matching, commit history searching, and a unique result scoring system.
https://github.com/tillson/git-hound

HADESS 9
Github in the wild

About Hadess
Savior of your Business to combat cyber threats
Hadess performs offensive cybersecurity services through infrastructures and software that
include vulnerability analysis, scenario attack planning, and implementation of custom integrated
preventive projects. We organized our activities around the prevention of corporate, industrial,
and laboratory cyber threats.

Contact Us

To request additional information about Hadess’s services, please fill out the form below. A
Hadess representative will contact you shortly.

Website:

www.hadess.io

Email:

Marketing@hadess.io

Phone No.

+989362181112

Company No.

+982128427515

hadess_security

HADESS 10
Github in the wild

Hadess
Products and Services
PWN Z1 | Audit Your Organization

Identifying and helping to address hidden weaknesses in your


organization’s security

3Eye | Data Breach Search Engine

Fully assess to public/private data breach for find your organization’s


leakage.

Blockchain Security | Smart Audit and Protection

Identifying and helping to address hidden weaknesses in your


organization’s security

Red Teaming Operation | PROTECTION PRO

Fully assess your organization’s threat detection and response


capabilities with a simulated cyber-attack.

HADESS 11
HADESS
www.hadess.io

You might also like