Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

On AWS CodeBuild, there is functionality to trigger a build on specific GitHub repos. The main protection against this is a regex that checks the ACTOR_ID for validity when a PR is made. The validation is as follows: 16024985|755743|.... The | symbol is an OR operation in regex.

The regex above isn't anchored with a ^ and $. Practically, this means that any account that contains these values would be approved by the filter. So, is it possible for a GitHub user ID to contain one of the values in the regex?

From their research, about 200K IDs are made per day. Practically, this means there's a new registration every 5 days of these account values. Still, there's a bit of a race here. So, it's necessary to create a lot of accounts at once. The standard account creation has rate limiting, so this didn't work. The GitHub Enterprise API is used to create organizations and shares the same IDs. Sadly, this couldn't be used because orgs can't create PRs.

The GitHub App manifest flow can interact with pull requests as a bot user. This allowed for the creation of hundreds of apps at once, then visiting the confirmation page to create the IDs simultaneously. This made winning the race condition much smoother. They waited until the live ID was about 100 away and then visited 200 URLs at once. They were able to obtain the ID on many of these open GitHub repos.

With the ability to make PRs within the context of the build process, they were able to do a classic pwn request. In particular, create a PR that, once built, extracts GitHub credentials from the environment. With a personal access token (PAT), an attacker had full admin privileges over the repository. What repo was at risk? The AWS SDK JavaScript library! Since so many ENVs use this, a backdoor to this package would have compromised a large percentage of the Internet.

A severe attack of taking a small CI/CD misconfiguration to an Internet-compromising bug. Backdoored packages feel impossible to stop right now, which is what makes this very terrifying.