Slide 1

Slide 1 text

Git-Recon

Slide 2

Slide 2 text

WHO I AM ? Indian Bugcrowd Top 100 Bug bounty hunter & trainer

Slide 3

Slide 3 text

-Understanding codes and repo -Checking view and laziness -Date , Person, Authentication -Luck Your target & mind workflow

Slide 4

Slide 4 text

"site.com" password "site.com" key= "site.com" access token "site.com" secret key "site.com" st no "site.com" uri= --branch= --username= -Dmaven.javadoc.skip= 0GITHUB_TOKEN= --username= FIREBASE_KEY= ENV_KEY= END_USER_USERNAME= END_USER_Password= On point !!! Basic Dorks

Slide 5

Slide 5 text

Wait !!! Need to verify it ? -What to check ? -Keys, Password, Data etc ? -Who posted data -Guy from org -Interns & Dev -Not every key is issue -Use curl for keys, Search API docs -Password ! Access it bro...

Slide 6

Slide 6 text

Example <3

Slide 7

Slide 7 text

GOOGLE Search on google for main org repo of github "ea" github High chance to get valid in main

Slide 8

Slide 8 text

Happy ?? Wait wait wait !! -Got information ,Reported -Happy xD, Don't post tips instantly -You may disclose bug -People are here to ask -You cant ignore -Verify, Craft report, Send them, Wait for patch

Slide 9

Slide 9 text

-Remote access -Employee information -DB access -No data related to customer -Intranet access -Default URL of projects Need of program ?

Slide 10

Slide 10 text

Bounty Rules -Don't expect anything If you did it in passion, you'll get dollars -Constant Recon impotant -Recon guy's are hero

Slide 11

Slide 11 text

VERIFY DATA Some data are intended, No bug here REPORTED > INVALID Don't get angry, You may lose good bonds with program YES THEY DO ACCEPT THIRD PARTY Your crafting and exploits are gold. Make it high as you can BE HUMBLE WITH PROGRAM Money going no where. Don't message constant to team Final tips

Slide 12

Slide 12 text

Tools ??? -Gitrob -GitHound -Your mind Note: I don't use tools, My all git recon is manual

Slide 13

Slide 13 text

Thank you WANTS TO FOLLW ME ? DORK IT BRUH...