Get the latest tech news
An Obscure Actions Workflow Vulnerability in Google's Flank
Learn about how I used a custom tool to find a Google-owned repository vulnerable to GitHub Actions Poisoned Pipeline Execution Attack and earned a $7,500 bug bounty!
The tool focused on self-hosted runners along with post-compromise enumeration and exploitation for GitHub classic personal access tokens.At the same time, I’ve been doing bug bounty hunting on the side with regular expressions to discover injection and pwn requests vulnerabilities. My current goal is to cut down the false positive rates by building an expression tree from each if check and evaluating it in the context of an external actor triggering the event. Since Harden Runner picks up requests to anomalous URLs, instead of simply exfiltrating the encoded blob to Burp, I used the GitHub API along with a fine-grained PAT (which I quickly revoked after the PoC) to upload the GCloud application token and GITHUB_TOKEN to a secret Gist.
Or read this on Hacker News
/cdn.vox-cdn.com/assets/2464693/google-logo-stock-31_2040.jpg){kind=logo}
