id: github-personal-access
info:
name: GitHub Personal Access Token
author: DhiyaneshDK
severity: high
reference:
- https://github.com/praetorian-inc/noseyparker/blob/main/crates/noseyparker/data/default/builtin/rules/github.yml
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
- https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
metadata:
verified: true
max-request: 1
tags: github,token,exposure,vuln
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
name: token
regex:
- '\b(ghp_[a-zA-Z0-9]{36})\b'
internal: true
- raw:
- |
@Host: https://api.github.com:443
GET /user HTTP/1.1
Host: api.github.com
Authorization: Basic {{base64('user:' + token)}}
disable-path-automerge: true
matchers:
- type: word
part: body
words:
- '"login":'
- '"avatar_url":'
condition: and
extractors:
- type: dsl
dsl:
- token
# digest: 490a0046304402200611eb7cbace5c31561eb746c856249540500b8a9f4375b225c3114ddd4be190022030c6d2fbe1917becec3936029205f557244c40b48266b3fb2cfb19f1fb311a70:922c64590222798bb761d5b6d8e72950