« Previous 1 2 3
Plundering treasures with Gitrob
Get Secure
Besmirched
As you can see in Figure 3, Gitrob points you to a web interface (running on the local machine on TCP port 9393), which you'll use later. The next command asks Gitrob to traverse the public repos (there should be six). The results with clickable links (Figure 4), which you can see by directing your browser to http://localhost:9393 , report any Findings that needs further investigation.
Clicking on the offending .aws/credentials link at the bottom of the GUI displays the AWS credentials file (Figure 5), which looks valid, but isn't. (In this case, it's a dummy test file designed to trigger a result from Gitrob.) The pattern that was flagged as suspicious must have been present in the aforementioned signatures file [5]. Following the Findings link in the Gitrob GUI shows more detail (Figure 6), and even a link to the file.
The Gitrob CLI also gives good feedback (for CI/CD pipeline integration, among other things). Figure 7 shows Gitrob displaying the nasty finding in detail.
The End Is Nigh
As I'm sure you will appreciate, Gitrob provides extremely valuable functionality. Human mistakes, such as typos and a lack of understanding, are common in all facets of computing, and an attacker is always ready to take advantage where value or one-upmanship exists.
Scheduling Gitrob to run periodically on a serverless technology like AWS Lambda [10] to check your repositories periodically would be a very wise move. As you develop and mature the signatures, strings, and filters you are validating with Gitrob, and potentially with other tools or your own scripts, you won't have any excuse to miss the accidental typos or faulty design decisions.
Infos
- Gitrob on GitHub: https://github.com/michenriksen/gitrob
- git-secrets: https://github.com/awslabs/git-secrets
- Organizations: https://help.github.com/en/articles/about-organizations
- Michael Henriksen: https://michenriksen.com
- Gitrob signatures: https://github.com/michenriksen/gitrob/blob/master/core/signatures.go
- "How to: Install Go 1.8 on Ubuntu 16.04" by Patrick Dahlke: https://medium.com/@patdhlk/how-to-install-go-1-8-on-ubuntu-16-04-710967aa53c9
- Gitrob releases: https://github.com/michenriksen/gitrob/releases
- Creating a personal access token for the command line: https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/
- Switching remote URLs from SSH to HTTPS: https://help.github.com/articles/changing-a-remote-s-url/#switching-remote-urls-from-ssh-to-https
- AWS Lambda: https://aws.amazon.com/lambda
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)