Hi Everyone,My name is Muhanad Israiwi.
I’m Bug Bounty Hunter,Software Engineering Student At Amman Arab University.
This is not a Write Up About How To Do GitHub Recon,but it’s more like what To Do After You Found Exposed Information In GitHub.
Many Bug Hunters Find Information Exposed Through GitHub,But Most of them lose the report because they cant prepare the report in good way.
So,This is more like Advises than Write Up,I Found Information Exposed In GitHub,What Next?
[1]First,Preferences That Will Help You To Understand How To Do Recon On GitHub
1-Your Full Map To GitHub Recon And Leaks Exposure By @Orwa Atyat
2-GitHub Recon and Sensitive Data Exposure: By th3g3nt3lman one of the legends in Bugcrowd
3-Intresting GitHub Dorks That You Can Check
[+] When Reporting:
Before You report The Exposed Information That You Found In GitHub Repository, Please Ask Your self these Questions :
1-Repository Owner: Is The Owner an Employee For This Company or Not,if yes?try to find their account on LinkedIn or provide proves (in the report) that this owner is working as an Employee.
2-Exposed Information:Is The Exposed Information New Or Old.
3-The Impact(Very-Important)
What Attacker can do using this information,can attacker affect other users,employees.
[+] My Report Closed As Not Applicable/Informative:
1-Start asking your self why my report closed,check the impact that you provided (is it enough to considered as valid impact?),If Your Impact Was Not Good Enough try to Upgrade The Impact and Then Contact The Support Team or Just Send A Comment and Wait.
2-How Was Your Report Written:The Way You Described The Information You Found,Exploit and Steps,Impact.
[+] How Should I Write My Report,Try To:
1-Use Markdown
When You Write Your Report,Its really affect Your Report and How it can be read.
Markdown is a lightweight markup language that you can use to add formatting elements to plaintext text documents.(It will make your report easy to read and understand)
If You Don’t Know How To Use MarkDown,You Can Read Markdown-Cheatsheet
2-Title:Your Tittle Should Be Simple,Easy To Understand And Readable.
3-Inlcude GitHub-File URL.
4-Data You Found In The File.
5-Time Of The File,Data(Is it old or new Information).
6-Exploit,Information,Actions You can Do,Impact.
Explaining the Exploit with the Impact and providing POC will improve your report.
[+] Remember
Bugcrowd,HackerOne,Intigriti…. Triage,Support Teams are working With You,So ask and talk with them in respectful way,and make sure that you provided them with enough evidence to support what are you saying so they can give you the help you need.
Hope It was helpful and Good Write Up.😀
You can follow me on Twitter https://twitter.com/IsrewyMohand
Thanks For Reading.