Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Github Recon and way to process

Aditya Shende
September 26, 2020

Github Recon and way to process

Slides of GitRecon for bug bounty by Aditya Shende

Aditya Shende

September 26, 2020

More Decks by Aditya Shende

Other Decks in Technology


  1. -Understanding codes and repo -Checking view and laziness -Date ,

    Person, Authentication -Luck Your target & mind workflow
  2. "site.com" password "site.com" key= "site.com" access token "site.com" secret key

    "site.com" st no "site.com" uri= --branch= --username= -Dmaven.javadoc.skip= 0GITHUB_TOKEN= --username= FIREBASE_KEY= ENV_KEY= END_USER_USERNAME= END_USER_Password= On point !!! Basic Dorks
  3. Wait !!! Need to verify it ? -What to check

    ? -Keys, Password, Data etc ? -Who posted data -Guy from org -Interns & Dev -Not every key is issue -Use curl for keys, Search API docs -Password ! Access it bro...
  4. GOOGLE Search on google for main org repo of github

    "ea" github High chance to get valid in main
  5. Happy ?? Wait wait wait !! -Got information ,Reported -Happy

    xD, Don't post tips instantly -You may disclose bug -People are here to ask -You cant ignore -Verify, Craft report, Send them, Wait for patch
  6. -Remote access -Employee information -DB access -No data related to

    customer -Intranet access -Default URL of projects Need of program ?
  7. Bounty Rules -Don't expect anything If you did it in

    passion, you'll get dollars -Constant Recon impotant -Recon guy's are hero
  8. VERIFY DATA Some data are intended, No bug here REPORTED

    > INVALID Don't get angry, You may lose good bonds with program YES THEY DO ACCEPT THIRD PARTY Your crafting and exploits are gold. Make it high as you can BE HUMBLE WITH PROGRAM Money going no where. Don't message constant to team Final tips