Skip to content

kunatastic/cred-hijacking

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit

application

application

 
 

server

server

 
 

.gitignore

.gitignore

 
 

LICENCE

LICENCE

 
 

go.mod

go.mod

 
 

readme.md

readme.md

 
 

Repository files navigation

Cred-Hijacking

A very noobish Proof-of-concept of why you should use github ssh way rather than https. In this demonstration, I have a very simple binary executable created using Go that could be utilise in credential hijacking.

So basically, when we are using the github-cli tool and input the credentials it will store the credentials as

https://<github_username>:<access_token>@github.com

in the ~/.git-credentials folder and when access_token can be accessed any person can make operations as being you. According to the update after April 2021, Github treats the access token as the password of the user for some places.

Also this tool was just for demonstration purpose

Prerequisites

We have a very limited requirement for this project which is just go any version after 1.18 will get the job done.

GO

  • Linux and Mac-OS

    wget -c https://golang.org/dl/go1.15.2.linux-amd64.tar.gz
sudo tar -C /usr/local -xvzf go1.15.2.linux-amd64.tar.gz
export  PATH=$PATH:/usr/local/go/bin
export GOBIN="$GOPATH/bin"

  • Windows Installer here. Pheww

Setup

  1. Clone the repository 👀👀
git clone https://github.com/kunatastic/cred-hijacking
cd cred-hijacking
  1. Open 2 terminals and run the following commands
  • Start the server in the first terminal
go run server/main.go
  • Start the application in the second terminal
go run application/main.go

Building the package

go build -o build/application application/main.go
go build -o build/server server/main.go

Once the build is done, you can run the application and server in the terminal without even requiring Go.

Ending Note

How to avoid this? I am no expert here but I am just consolidating the points that I have learned so far.

  1. To avoid saving the access token permanently, you can use "cache --timeout=<time in seconds>" flag to store the token in the cache that will get clear after the timeout you have specified. This method could be length everytime you need to create a new token and paste it.

The default is 15 minutes, you can set a longer timeout with:

git config --global credential.helper "cache --timeout=3600"
  1. The another solution could be use github with ssh all the process will be same as using https. Just rather than directly storing the token in ~/.git-credentials now the credentials would be stored as a SSH key which is much more secure. To setup the SSH key, you can use the refer this documentation Here.

Thank you

About

github-cli credential hijacking POC

Resources

Readme

License

WTFPL license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages