You’ll need your Ubuntu VM from Lab_01 or a fresh Ubuntu VM for this lab.
We pushed a plaintext password to our remote GitHub repository in the last lab. Then, we deleted it and pushed a new copy without the password present.
In the bug-bounty/cybersecurity world, API keys will be a bigger problem. An API Key is basically the same thing as a password. We’ll work with API keys later in this unit. For now, read this this article.
- Summary: Starbucks exposed an API key that only internal developers were supposed to have access to.
- The bug bounty hunter claimed a $4,000 reward for the disclosure.
Let’s look at how a discovery like this might be made. In my case, I have an SSH session into my Ubuntu VM. Fire up that Ubuntu VM any way you like and create a folder called Lab_03
mkdir Lab_03
cd Lab_03
Then clone your example repository with the following:
git clone <Copied Address from GitHub>
If you type ls, you should have a folder you can cd into to access the current project.
cd <project_folder>
ls -alh
Here, we have the magic .git folder. A pen tester will first look at the commit log if a .git folder exists in a directory like this.
Type:
git log
Here, we can see a history of commits. First, let’s examine what we have in front of us in the present.
cat ExamplePython.py