Hi geeks, it4chis3c (Twitter) came-up with another bounty earning write-up in the Bug Bounty Hunting Series:
Uncover Secrets, Tokens, and APIs in GitHub Repositories
Developers often accidentally leak credentials, API keys, tokens, and sensitive infrastructure details in public/private repos. Here's how to systematically exploit GitHub for maximum impact in bug bounties.
1. Recon: Know Your Target's GitHub Footprint
Why: Organizations often have multiple GitHub accounts, legacy repos, or internal tools exposed.
Tactics & Dork Examples:
Search for all repos under the organization "TargetCompany":
gh api -X GET search/repositories -f q='org:"TargetCompany"'Find commits using company emails (e.g., @target.com):
gh api -X GET search/commits -f q='author-email:*@target.com'Search for employees' personal repos linked to the target domain:
gh api -X GET search/users -f q='in:email *@target.com'Pro Tip: Use GitHub CLI (gh) for faster API queries without authentication limits for public data.
2. Advanced GitHub Search Operators (Flags)
Why: GitHub's native search is powerful but underutilized. Flags narrow results to high-value files.
Key Search Modifiers (Terminal Examples):
Search for .env files in the target's repos containing "API_KEY"
gh api -X GET search/code -f q='org:TargetCompany filename:.env "API_KEY"'Find AWS keys in JSON/YAML files
gh api -X GET search/code -f q='org:TargetCompany extension:json "aws_access_key_id"'Hunt for private keys (PEM files)
gh api -X GET search/code -f q='extension:pem "BEGIN RSA PRIVATE KEY"'Search for passwords in config files
gh api -X GET search/code -f q='path:config password'Pro Tip: Combine filename: with language: for precision (e.g., filename:.env language:shell).
3. Hunting Internal APIs & Endpoints
Why: Internal API endpoints exposed in code can lead to SSRF, auth bypass, or data leaks.
Terminal Dorks for APIs:
Find Swagger/OpenAPI docs:
gh api -X GET search/code -f q='filename:swagger.json "host": "api.target.com"'Search for internal URLs in JavaScript:
gh api -X GET search/code -f q='language:js "https://internal.api.target.com"'Hunt for GraphQL endpoints:
gh api -X GET search/code -f q='path:/graphql "query {"'4. GitHub Actions & Workflows
Why: CI/CD pipelines often contain credentials for cloud services (AWS, GCP, etc.).
Terminal Commands for Actions:
Search for AWS keys in GitHub Actions files:
gh api -X GET search/code -f q='path:.github/workflows/*.yml "aws-access-key-id"'Find Google Cloud credentials in YAML:
gh api -X GET search/code -f q='language:yaml "type: service_account"'Hunt for exposed Docker Hub passwords:
gh api -X GET search/code -f q='path:.github/workflows/*.yml DOCKER_PASSWORD'5. Pro Tips & Automation
Monitor new commits to a repo (replace OWNER/REPO):
gh api -X GET repos/OWNER/REPO/commits --jq '.[].sha' | xargs -I {} git show {}Search Gists for passwords/tokens:
gh api -X GET search/code -f q='user:TargetCompany password'Regex search for JWTs in all files (local repo)
grep -Ero 'eyJ[a-zA-Z0-9_\-]+\.[a-zA-Z0-9_\-]+\.[a-zA-Z0-9_\-]+' .I look forward to sharing what I've learned while exploring the ever-evolving world of cybersecurity and bug bounties. Let's hunt some bugs!
Thank you for reading the blog!!! Do Follow and Comment on what specific type of write-up you want the next??
You can also follow me on Twitter & LinkedIn for more such tips & tricks.
Follow & subscribe for daily write-up updates via mail on Medium
