Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mortenson/pr-sneaking

A repository demonstrating how you can sneak malicious code into Github PRs
https://github.com/mortenson/pr-sneaking

Last synced: about 2 months ago
JSON representation

A repository demonstrating how you can sneak malicious code into Github PRs

Host: GitHub
URL: https://github.com/mortenson/pr-sneaking
Owner: mortenson
Created: 2017-05-28T21:37:44.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2017-05-29T22:30:02.000Z (over 7 years ago)
Last Synced: 2024-09-26T02:09:07.499Z (4 months ago)
Language: CSS
Size: 90.8 KB
Stars: 11
Watchers: 4
Forks: 1
Open Issues: 1
Metadata Files:
- Readme: readme.md
- Changelog: CHANGELOG.md

Awesome Lists containing this project

awesome-cicd-attacks - PR sneaking - Methods of sneaking malicious code into GitHub pull requests. (Techniques / Defense Evasion)
awesome-cicd-attacks - PR sneaking - Methods of sneaking malicious code into GitHub pull requests. (Techniques / Defense Evasion)

README

# pr-sneaking

This repository exists to demonstrate methods of sneaking malicious code into
Github pull requests.

While there has never been a real-world example of this kind of attack before,
it makes sense to me as an exploit vector. If you want to compromise thousands
of sites using XSS, all you would have to do is get one piece of malicious code
committed to a common npm package. If your targets are using an automated
build, you could see your exploit released the day after the npm package
releases.

So far I only have two methods of hiding malicious code in a Github PR, but I
welcome contribution!

## Example 1: Manually add exploit into minified/compiled code

In [pull request #1](https://github.com/mortenson/pr-sneaking/pull/1), I fix a
legitimate bug in the source code, but after compiling the source with bower, I
manually edit the minified JS and add the code `alert('foo')`. By using the
Github interface, can you spot the code without using your browser's search?

This seems trivial, but if you can find a file that is rarely compiled, the
code you sneak in could live there for a long time.

## Example 2: Add NULL character and exploit to any file

Github, and Git for that matter, don't like NULL characters in source code. If
you run `git diff` in your command line after adding a NULL character to a
file, it doesn't output anything.

Github has a slightly different behavior, where files with NULL characters are
displayed as "Binary file not shown", even if their file type is normal.

In [pull request #2](https://github.com/mortenson/pr-sneaking/pull/2), I add an
easily-committable change to source, but manually add an exploit and a NULL
character to a compiled file. Looking at the diff in Github, would you spot the
issue? If so, would you still spot it if dozens of files, including binary
files were changed?