A list of questions that bounty hunters frequently DM me about. 😄
I have a simple philosophy that I share with everyone:
- Learn to make it. Then break it!
- Read books. Lots of books.
GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.
You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.
$ python githubcloner.py --org organization -o /tmp/output
Note: Please keep in mind, that all of this does not work if you are not signed in to GitHub.
When searching for issues related to a target I often like to quickly look up their GitHub organization on Google.
So let's say Gratipay says nothing about being open source. A quick Google "Gratipay GitHub" should return Gratipay's org page on GitHub.
Then from there I am going to check what repos actually belong to the org and which are forked. You can do this by selecting the Type:
dropdown on the right hand side of the page.
Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page. Broken Link Hijacking comes in two forms, reflected and stored. This issue has been exploited in the wild numerous times, but surprisingly few researchers actively look for broken links in bug bounty programs.
This post aims to give you a basic overview of the different issues that could possibly arise if a target links to an expired endpoint.
I hereby claim:
To claim this, I am signing this object:
/http://example.com | |
/%5cexample.com | |
/%2f%2fexample.com | |
/example.com/%2f%2e%2e | |
/http:/example.com | |
/?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com | |
/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com | |
/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com | |
/redirect?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com | |
/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com |
Verifying my Blockstack ID is secured with the address 1MYJhkhmKN6HFXUBpaeDfFja8j5bFR6VTr https://explorer.blockstack.org/address/1MYJhkhmKN6HFXUBpaeDfFja8j5bFR6VTr
<style>body{margin:0}.overlay{position:fixed;top:0;left:0;z-index:999;height:100vh;width:100vw;background:rgba(0,0,0,0.5)}.alert{width:300px;padding:0 20px 0 0px;position:absolute;top:50%;left:50%;transform:translate(-50%, -50%);background:#fff}.alert p{color:#000 !important;padding:45px;text-align:center;font-family:sans-serif}.ok{background:#eee;width:100%;height:30px;padding:10px 10px}.ok button{float:right;padding:0 25px;margin-right:5px}</style><div class="overlay"><div class="alert"><p>1</p><div class="ok"><button>OK</button></div></div></div> |