GitHound v1.3 releases: pinpoints exposed API keys on GitHub
GitHound pinpoints exposed API keys on GitHub using pattern matching, commit history searching, and a unique result scoring system. It has earned me over $4000 applied to Bug Bounty research. Corporate and Bug Bounty Hunter use cases are outlined below.
- GitHub/Gist code searching. This enables GitHound to locate sensitive information exposed across all of GitHub, uploaded by any user.
- Generic API key detection using pattern matching, context, and Shannon entropy.
- Commit history digging to find improperly deleted sensitive information (for repositories with <6 stars)..
- Unique scoring system to emphasize confident results, filter out common false positives, and to optimize intensive repo digging.
- Options to build GitHound into your workflow, like custom regexes and results-only output mode.
Corporate: Searching for exposed customer API keys
Knowing the pattern for a specific service’s API keys enables you to search GitHub for these keys. You can then pipe matches for your custom key regex into your own script to test the API key against the service and to identify the at-risk account.
echo “api.halcorp.biz” | githound –dig –many-results –regex-file halcorp-api-regexes.txt –results-only | python halapitester.py
For detecting future API key leaks, GitHub offers Push Token Scanning to immediately detect API keys as they are posted.
Bug Bounty Hunters: Searching for leaked employee API tokens
My primary use for GitHound is for finding sensitive information for Bug Bounty programs. For high-profile targets, the –many-results hack and –languages flag are useful for scraping >100 pages of results.
echo “uberinternal.com” | githound –dig –many-results –languages common-languages.txt –threads 100
- 9bd525f Adding support for otp codes automatically
- 1ccfbee Create FUNDING.yml
- 6d5dfd2 Fix commit-history index of out bounds error (#25)
- 66924e3 Fixing gist URLs
- 10dec6e Merge branch ‘master’ of github.com:tillson/git-hound
- d106301 Merge pull request #22 from seanmarpo/smarpo–fix-gist-url
- 1d492bc Merge pull request #24 from seanmarpo/smarpo–add-totp-support
- fffcd36 Provide direct link to obtain TOTP seed value
- 9949e58 Update FUNDING.yml
- 1d0cfb8 Update FUNDING.yml
- e5754da Update FUNDING.yml
- b18095e Update README
- 4dd62e2 Update README.md
- 395e5f7 Update README.md
- 68bcce9 Update README.md
- 37f322e Update README.md
- 53fad71 Update README.md
- a548fbf Update README.md
- 00239b9 Update README.md
- e44944c Update README.md
- fda04b7 Update github.go
- 1763f91 Update programmingwords.go
- 16cc48d Update root.go
Copyright (c) 2019 Tillson Galloway