|
| 1 | +<!DOCTYPE html> |
| 2 | +<html class="writer-html5" lang="en" > |
| 3 | +<head> |
| 4 | + <meta charset="utf-8" /> |
| 5 | + <meta http-equiv="X-UA-Compatible" content="IE=edge" /> |
| 6 | + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><link rel="canonical" href="https://www.gitxray.com/awesome_features/" /> |
| 7 | + <link rel="shortcut icon" href="../img/favicon.ico" /> |
| 8 | + <title>Awesome Features 💫 - Gitxray</title> |
| 9 | + <link rel="stylesheet" href="../css/theme.css" /> |
| 10 | + <link rel="stylesheet" href="../css/theme_extra.css" /> |
| 11 | + <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/styles/github.min.css" /> |
| 12 | + |
| 13 | + <script> |
| 14 | + // Current page data |
| 15 | + var mkdocs_page_name = "Awesome Features \u0026#128171;"; |
| 16 | + var mkdocs_page_input_path = "awesome_features.md"; |
| 17 | + var mkdocs_page_url = "/awesome_features/"; |
| 18 | + </script> |
| 19 | + |
| 20 | + <!--[if lt IE 9]> |
| 21 | + <script src="../js/html5shiv.min.js"></script> |
| 22 | + <![endif]--> |
| 23 | + <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/highlight.min.js"></script> |
| 24 | + <script>hljs.highlightAll();</script> |
| 25 | +</head> |
| 26 | + |
| 27 | +<body class="wy-body-for-nav" role="document"> |
| 28 | + |
| 29 | + <div class="wy-grid-for-nav"> |
| 30 | + <nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav"> |
| 31 | + <div class="wy-side-scroll"> |
| 32 | + <div class="wy-side-nav-search"> |
| 33 | + <a href=".." class="icon icon-home"> Gitxray |
| 34 | + </a><div role="search"> |
| 35 | + <form id ="rtd-search-form" class="wy-form" action="../search.html" method="get"> |
| 36 | + <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" title="Type search term here" /> |
| 37 | + </form> |
| 38 | +</div> |
| 39 | + </div> |
| 40 | + |
| 41 | + <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu"> |
| 42 | + <ul> |
| 43 | + <li class="toctree-l1"><a class="reference internal" href="../installing/">Installing Gitxray</a> |
| 44 | + </li> |
| 45 | + </ul> |
| 46 | + <ul class="current"> |
| 47 | + <li class="toctree-l1 current"><a class="reference internal current" href="#">Awesome Features 💫</a> |
| 48 | + <ul class="current"> |
| 49 | + <li class="toctree-l2"><a class="reference internal" href="#unintended-disclosures-in-contributor-profiles">Unintended disclosures in Contributor profiles 🤦</a> |
| 50 | + </li> |
| 51 | + <li class="toctree-l2"><a class="reference internal" href="#spotting-shared-co-owned-or-fake-contributors">Spotting shared, co-owned or fake Contributors 👻</a> |
| 52 | + <ul> |
| 53 | + <li class="toctree-l3"><a class="reference internal" href="#important">Important</a> |
| 54 | + </li> |
| 55 | + </ul> |
| 56 | + </li> |
| 57 | + <li class="toctree-l2"><a class="reference internal" href="#the-pr-rejection-awards">The PR Rejection Awards 🏆</a> |
| 58 | + </li> |
| 59 | + <li class="toctree-l2"><a class="reference internal" href="#fake-stars-private-repos-gone-public-and-more">Fake Stars, Private repos gone Public and more 🙈</a> |
| 60 | + </li> |
| 61 | + </ul> |
| 62 | + </li> |
| 63 | + </ul> |
| 64 | + <ul> |
| 65 | + <li class="toctree-l1"><a class="reference internal" href="../more_features/">More Features 🦾</a> |
| 66 | + </li> |
| 67 | + </ul> |
| 68 | + <ul> |
| 69 | + <li class="toctree-l1"><a class="reference internal" href="../pending_work/">Pending Work</a> |
| 70 | + </li> |
| 71 | + </ul> |
| 72 | + </div> |
| 73 | + </div> |
| 74 | + </nav> |
| 75 | + |
| 76 | + <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"> |
| 77 | + <nav class="wy-nav-top" role="navigation" aria-label="Mobile navigation menu"> |
| 78 | + <i data-toggle="wy-nav-top" class="fa fa-bars"></i> |
| 79 | + <a href="..">Gitxray</a> |
| 80 | + |
| 81 | + </nav> |
| 82 | + <div class="wy-nav-content"> |
| 83 | + <div class="rst-content"><div role="navigation" aria-label="breadcrumbs navigation"> |
| 84 | + <ul class="wy-breadcrumbs"> |
| 85 | + <li><a href=".." class="icon icon-home" aria-label="Docs"></a></li> |
| 86 | + <li class="breadcrumb-item active">Awesome Features 💫</li> |
| 87 | + <li class="wy-breadcrumbs-aside"> |
| 88 | + <a href="https://github.com/kulkansecurity/gitxray/edit/master/docs/awesome_features.md" class="icon icon-github"> Edit on GitHub</a> |
| 89 | + </li> |
| 90 | + </ul> |
| 91 | + <hr/> |
| 92 | +</div> |
| 93 | + <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article"> |
| 94 | + <div class="section" itemprop="articleBody"> |
| 95 | + |
| 96 | + <h1 id="awesome-features">Awesome Features 💫<a class="headerlink" href="#awesome-features" title="Permanent link"></a></h1> |
| 97 | +<p>Because of the amount of data it analyzes, <code>gitxray</code> can be a bit overwhelming at first. Let's look at a few examples of potential awesome findings which can better explain why you're here and why <code>gitxray</code> is awesome ♥. </p> |
| 98 | +<h2 id="unintended-disclosures-in-contributor-profiles">Unintended disclosures in Contributor profiles 🤦<a class="headerlink" href="#unintended-disclosures-in-contributor-profiles" title="Permanent link"></a></h2> |
| 99 | +<p><code>gitxray</code> reports under a <code>user_input</code> category any user-supplied data that repository Contributors may have exposed via their GitHub accounts inadevertently. This is normally the case of PGP and SSH key name fields, which unfortunately are used by Users to record hostnames, computer models, password locations (e.g. in 1Password), or even the <em>password itself</em> to a given key (which we all know might be the same password used elsewhere). To make things more interesting, <code>gitxray</code> also identifies any "excess" data found before, or after, PGP Armored keys published in a User's GitHub account. Wondering what that data normally is? Erroneous copy/pastes from the command line while exporting in ASCII/Armored format their keys. And what might that contain? Most of the times, a shell prompt revealing a local username, a hostname and a directory path. May I remind you all of this data is Public-facing.</p> |
| 100 | +<p>You may focus specifically on these types of findings by filtering results with:</p> |
| 101 | +<pre><code class="language-py">gitxray -o https://github.com/SampleOrg -v -f user_input |
| 102 | +</code></pre> |
| 103 | +<p>or, for a specific repository (remember, <em>Verbose is always optional</em>): </p> |
| 104 | +<pre><code class="language-py">gitxray -r https://github.com/SampleOrg/SampleRepo -v -f user_input |
| 105 | +</code></pre> |
| 106 | +<h2 id="spotting-shared-co-owned-or-fake-contributors">Spotting shared, co-owned or fake Contributors 👻<a class="headerlink" href="#spotting-shared-co-owned-or-fake-contributors" title="Permanent link"></a></h2> |
| 107 | +<p>Open source projects are under attack, with malicious actors hiding in plain sight. GitHub has <a href="https://github.blog/security/vulnerability-research/security-alert-social-engineering-campaign-targets-technology-industry-employees/">released a Security alert</a> describing one of potentially many modus-operandi adopted by Threat actors. So why not panic (a bit) and see if there's anything you could do to help protect the repositories you care about?</p> |
| 108 | +<p><code>gitxray</code> reports under the <code>association</code> category information that could help identify cases of suspicious activity or identity. By fingerprinting Keys added to a profile, as well as those historically used to sign a commit, and by looking at, for example, key and account creation times, it becomes possible to cross-reference the data and link <em>(hence 'association')</em> the behavior to 2 or more accounts.</p> |
| 109 | +<p>You can focus specifically on association findings by filtering for <code>association</code> with:</p> |
| 110 | +<pre><code>gitxray -o https://github.com/SampleOrg -v -f user_input |
| 111 | +</code></pre> |
| 112 | +<p>or targetting a specific Repository with (<em>Verbose is always optional</em>):</p> |
| 113 | +<pre><code>gitxray -r https://github.com/SampleOrg/SampleRepo -v -f user_input |
| 114 | +</code></pre> |
| 115 | +<h3 id="important">Important<a class="headerlink" href="#important" title="Permanent link"></a></h3> |
| 116 | +<p>Associations MUST NOT be directly and blindly used to report fake or shadow accounts. They are automatic observations from a piece of well-intended code. Do NOT treat association results as findings directly. We must protect open-source projects by first and foremost respecting open-source developers. Ensure that any actions taken are thoughtful and based on solid evidence, not just automated associations. </p> |
| 117 | +<h2 id="the-pr-rejection-awards">The PR Rejection Awards 🏆<a class="headerlink" href="#the-pr-rejection-awards" title="Permanent link"></a></h2> |
| 118 | +<p>Another <code>gitxray</code> feature is the ability to list a TOP 3 of GitHub accounts that have tried to submit Pull Requests to the repository, which ended up closed AND NOT merged. In certain emotional scenarios, this could be paraphrased as <em>rejected PRs</em>. Kidding aside, in some cases, this could lead to identifying Contributors who have repeatedly failed at merging a very evidently unaligned piece of code to a branch (I know, it sounds unlikely for an account to try and merge backdoor.py repeatedly... but is it?).</p> |
| 119 | +<p><code>gitxray</code> will show a TOP 3 list specific to Repository Contributors and a separate list for accounts which are NOT Contributors to the Repository.</p> |
| 120 | +<p>These findings, if any exist, are reported under a <code>contributors</code> category along with additional information related to other Repository Contributors. You can focus specifically on findings from the contributors category by filtering for <code>contributors</code> with:</p> |
| 121 | +<pre><code>gitxray -o https://github.com/SampleOrg -v -f contributors |
| 122 | +</code></pre> |
| 123 | +<p>or targetting a specific Repository with (<em>Verbose is always optional</em>):</p> |
| 124 | +<pre><code class="language-bash">gitxray -r https://github.com/SampleOrg/SampleRepo -v -f contributors |
| 125 | +</code></pre> |
| 126 | +<h2 id="fake-stars-private-repos-gone-public-and-more">Fake Stars, Private repos gone Public and more 🙈<a class="headerlink" href="#fake-stars-private-repos-gone-public-and-more" title="Permanent link"></a></h2> |
| 127 | +<p>GitHub shares publicly <a href="https://docs.github.com/en/rest/activity/events?apiVersion=2022-11-28">up to 90 days of past Events</a> for any User account, which include actions such as Repository creation, Watching, Committing, Pull Requesting, and more. <code>gitxray</code> summarizes these events for you and prints them out under a <code>90d_events</code> category in the results included for each Contributor, summarized in order to reduce the amount of data listed by default. </p> |
| 128 | +<p>The summary however can be expanded into a full list of Events by merely turning on <em>Verbose mode</em> (the -v flag). Using <em>Verbose mode</em> is convenient in order to get details on <strong>WHAT</strong> was actioned upon.</p> |
| 129 | +<p>For example, Events you may come across that would be interesting include:</p> |
| 130 | +<ul> |
| 131 | +<li> |
| 132 | +<p>A user having very recently <em>switched a repository from PRIVATE to PUBLIC</em>. GitHub requires Users to tick several boxes prior to moving an existing private repository to public, lowering the chances of an unintended leak; however, a recent public repository may not have had as much attention and auditing as you would think.</p> |
| 133 | +</li> |
| 134 | +<li> |
| 135 | +<p>A user <a href="https://docs.github.com/en/rest/activity/starring?apiVersion=2022-11-28">starring</a> (originally known as <em>watching</em>) too many respositories too rapidly. This could be a tell of an account used for <a href="https://research.checkpoint.com/2024/stargazers-ghost-network/">Stargazing</a>. Or it could just be a normal human being in one of those days filled with anxiety.</p> |
| 136 | +</li> |
| 137 | +<li> |
| 138 | +<p>And more!</p> |
| 139 | +</li> |
| 140 | +</ul> |
| 141 | +<p>To find Contributors who recently switched from Private to Public a repository or who have Starred repositories, you may start with:</p> |
| 142 | +<pre><code>gitxray -o https://github.com/SampleOrg -f starred,private |
| 143 | +</code></pre> |
| 144 | +<p>And you could then enable <em>Verbose</em> (or before, you decide) and target a specific Repository Contributor to get more information:</p> |
| 145 | +<pre><code>gitxray -r https://github.com/SampleOrg/SampleRepo -v -c some_user |
| 146 | +</code></pre> |
| 147 | + |
| 148 | + </div> |
| 149 | + </div><footer> |
| 150 | + <div class="rst-footer-buttons" role="navigation" aria-label="Footer Navigation"> |
| 151 | + <a href="../installing/" class="btn btn-neutral float-left" title="Installing Gitxray"><span class="icon icon-circle-arrow-left"></span> Previous</a> |
| 152 | + <a href="../more_features/" class="btn btn-neutral float-right" title="More Features 🦾">Next <span class="icon icon-circle-arrow-right"></span></a> |
| 153 | + </div> |
| 154 | + |
| 155 | + <hr/> |
| 156 | + |
| 157 | + <div role="contentinfo"> |
| 158 | + <!-- Copyright etc --> |
| 159 | + <p>Made with ♥ by <a href="https://www.kulkan.com" target="_blank">Kulkan Security</a> - your favorite <a href="https://www.kulkan.com" target="_blank">Penetration Testing Partner</a>. |
| 160 | +</p> |
| 161 | + </div> |
| 162 | + |
| 163 | + Built with <a href="https://www.mkdocs.org/">MkDocs</a> using a <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. |
| 164 | +</footer> |
| 165 | + |
| 166 | + </div> |
| 167 | + </div> |
| 168 | + |
| 169 | + </section> |
| 170 | + |
| 171 | + </div> |
| 172 | + |
| 173 | + <div class="rst-versions" role="note" aria-label="Versions"> |
| 174 | + <span class="rst-current-version" data-toggle="rst-current-version"> |
| 175 | + |
| 176 | + <span> |
| 177 | + <a href="https://github.com/kulkansecurity/gitxray" class="fa fa-github" style="color: #fcfcfc"> GitHub</a> |
| 178 | + </span> |
| 179 | + |
| 180 | + |
| 181 | + <span><a href="../installing/" style="color: #fcfcfc">« Previous</a></span> |
| 182 | + |
| 183 | + |
| 184 | + <span><a href="../more_features/" style="color: #fcfcfc">Next »</a></span> |
| 185 | + |
| 186 | + </span> |
| 187 | +</div> |
| 188 | + <script src="../js/jquery-3.6.0.min.js"></script> |
| 189 | + <script>var base_url = "..";</script> |
| 190 | + <script src="../js/theme_extra.js"></script> |
| 191 | + <script src="../js/theme.js"></script> |
| 192 | + <script src="../search/main.js"></script> |
| 193 | + <script> |
| 194 | + jQuery(function () { |
| 195 | + SphinxRtdTheme.Navigation.enable(true); |
| 196 | + }); |
| 197 | + </script> |
| 198 | + |
| 199 | +</body> |
| 200 | +</html> |
0 commit comments