studocu - HackMD

![image](https://hackmd.io/_uploads/Sk6nqnUOC.png) ``` └─# curl -H "Authorization: token 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" https://api.github.com/user { "login": "studocu-ci-user", "id": 44834902, "node_id": "MDQ6VXNlcjQ0ODM0OTAy", "avatar_url": "https://avatars.githubusercontent.com/u/44834902?v=4", "gravatar_id": "", "url": "https://api.github.com/users/studocu-ci-user", "html_url": "https://github.com/studocu-ci-user", "followers_url": "https://api.github.com/users/studocu-ci-user/followers", "following_url": "https://api.github.com/users/studocu-ci-user/following{/other_user}", "gists_url": "https://api.github.com/users/studocu-ci-user/gists{/gist_id}", "starred_url": "https://api.github.com/users/studocu-ci-user/starred{/owner}{/repo}", "subscriptions_url": "https://api.github.com/users/studocu-ci-user/subscriptions", "organizations_url": "https://api.github.com/users/studocu-ci-user/orgs", "repos_url": "https://api.github.com/users/studocu-ci-user/repos", "events_url": "https://api.github.com/users/studocu-ci-user/events{/privacy}", "received_events_url": "https://api.github.com/users/studocu-ci-user/received_events", "type": "User", "site_admin": false, "name": "StuDog", "company": null, "blog": "", "location": null, "email": null, "hireable": null, "bio": null, "twitter_username": null, "public_repos": 0, "public_gists": 0, "followers": 0, "following": 0, "created_at": "2018-11-07T10:13:00Z", "updated_at": "2024-07-12T11:23:14Z" } ``` ``` └─# curl -H "Authorization: token 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" https://api.github.com/rate_limit { "resources": { "core": { "limit": 5000, "used": 122, "remaining": 4878, "reset": 1721319727 }, "search": { "limit": 30, "used": 0, "remaining": 30, "reset": 1721317942 }, "graphql": { "limit": 5000, "used": 411, "remaining": 4589, "reset": 1721319582 }, "integration_manifest": { "limit": 5000, "used": 0, "remaining": 5000, "reset": 1721321482 }, "source_import": { "limit": 100, "used": 0, "remaining": 100, "reset": 1721317942 }, "code_scanning_upload": { "limit": 1000, "used": 0, "remaining": 1000, "reset": 1721321482 }, "actions_runner_registration": { "limit": 10000, "used": 0, "remaining": 10000, "reset": 1721321482 }, "scim": { "limit": 15000, "used": 0, "remaining": 15000, "reset": 1721321482 }, "dependency_snapshots": { "limit": 100, "used": 0, "remaining": 100, "reset": 1721317942 }, "audit_log": { "limit": 1750, "used": 0, "remaining": 1750, "reset": 1721321482 }, "audit_log_streaming": { "limit": 15, "used": 0, "remaining": 15, "reset": 1721321482 }, "code_search": { "limit": 10, "used": 0, "remaining": 10, "reset": 1721317942 } }, "rate": { "limit": 5000, "used": 122, "remaining": 4878, "reset": 1721319727 } } ``` ### Pentest Report: Exposure of GitHub Token in Mobile APK Source Code #### Title: Exposure of GitHub Personal Access Token in Mobile APK Source Code #### Description: A GitHub Personal Access Token (PAT) was found exposed in the source code of a mobile APK. The token was located in the `res/values/strings.xml` file under the name "GH_PACKAGES_STUDOCU_TOKEN". This token grants access to the GitHub account associated with "studocu-ci-user". The exposure of this token poses significant security risks, as it can be used to perform a variety of sensitive operations on GitHub repositories, including creating, modifying, and deleting repositories, as well as accessing private data. #### Steps to Reproduce: 1. Decompile the APK file using tools like `apktool`. 2. Navigate to the `res/values/strings.xml` file. 3. Locate the line containing the GitHub token: ```xml <string name="GH_PACKAGES_STUDOCU_TOKEN">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</string> ``` 4. Use the token to make authenticated requests to the GitHub API: ```sh curl -H "Authorization: token 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" https://api.github.com/user ``` #### Business Impact: The exposure of the GitHub token can lead to severe consequences, including but not limited to: - Unauthorized access to private repositories. - Data leakage and potential exposure of sensitive information. - Unauthorized modifications or deletions of code repositories. - Potential abuse of GitHub API rate limits. - Compromise of continuous integration/continuous deployment (CI/CD) pipelines if the token has access to automation tools. - Financial loss due to unauthorized actions or abuse of resources. #### Recommendation: 1. **Immediate Action**: - Revoke the exposed token immediately from GitHub's settings under Developer settings > Personal access tokens. - Investigate any potential misuse of the token. 2. **Code Security**: - Remove the token from the source code and ensure it is never hardcoded in any part of the application's source code. - Use secure methods to handle and store sensitive information, such as environment variables or secure vault services (e.g., AWS Secrets Manager, HashiCorp Vault). 3. **Token Management**: - Regenerate a new token with the minimal required scopes to limit the potential impact of any future exposure. - Regularly review and rotate tokens to minimize the window of opportunity for misuse. 4. **Security Best Practices**: - Conduct regular code reviews and security audits to identify and remediate security vulnerabilities. - Implement automated security scanning tools in the CI/CD pipeline to detect hardcoded secrets before code is merged. - Educate developers about secure coding practices and the risks associated with hardcoding sensitive information. By addressing the above recommendations, the risk of unauthorized access and potential security breaches can be mitigated effectively. --- # LOKALISE ### Curl Request ``` curl https://api.lokalise.com/api2/projects/ --header 'x-api-token: c515393287f3893be8df1670514694f794a80a86 ``` ### Response ``` { "projects": [ { "project_id": "5711846865afd3d2b8e8b3.61988562", "project_type": "localization_files", "name": "Marketing", "description": "", "created_at": "2024-01-23 14:57:22 (Etc/UTC)", "created_at_timestamp": 1706021842, "created_by": 289639, "created_by_email": "melanie@studocu.com", "team_id": 388386, "base_language_id": 640, "base_language_iso": "en", "settings": { "per_platform_key_names": false, "reviewing": true, "auto_toggle_unverified": true, "offline_translation": false, "key_editing": true, "inline_machine_translations": true, "branching": false, "segmentation": false, "contributor_preview_download_enabled": false, "custom_translation_statuses": false, "custom_translation_statuses_allow_multiple": false }, "statistics": { "progress_total": 100, "keys_total": 30, "team": 11, "base_words": 3656, "qa_issues_total": 1161, "qa_issues": { "not_reviewed": 260, "unverified": 50, "spelling_grammar": 346, "inconsistent_placeholders": 0, "inconsistent_html": 364, "different_number_of_urls": 0, "different_urls": 0, "leading_whitespace": 1, "trailing_whitespace": 140, "different_number_of_email_address": 0, "different_email_address": 0, "different_brackets": 0, "different_numbers": 0, "double_space": 0, "special_placeholder": 0, "unbalanced_brackets": 0 }, "languages": [ { "language_id": 764, "language_iso": "ca", "progress": 100, "words_to_do": 0 }, { "language_id": 767, "language_iso": "da", "progress": 100, "words_to_do": 0 }, { "language_id": 666, "language_iso": "de", "progress": 100, "words_to_do": 0 }, { "language_id": 640, "language_iso": "en", "progress": 100, "words_to_do": 0 }, { "language_id": 1056, "language_iso": "es", "progress": 100, "words_to_do": 0 }, { "language_id": 768, "language_iso": "fi", "progress": 100, "words_to_do": 0 }, { "language_id": 673, "language_iso": "fr", "progress": 100, "words_to_do": 0 }, { "language_id": 734, "language_iso": "it", "progress": 100, "words_to_do": 0 }, { "language_id": 737, "language_iso": "nl", "progress": 100, "words_to_do": 0 }, { "language_id": 760, "language_iso": "no", "progress": 100, "words_to_do": 0 }, { "language_id": 748, "language_iso": "pl", "progress": 100, "words_to_do": 0 }, { "language_id": 1057, "language_iso": "pt", "progress": 100, "words_to_do": 0 }, { "language_id": 708, "language_iso": "pt_BR", "progress": 100, "words_to_do": 0 }, { "language_id": 754, "language_iso": "sv", "progress": 100, "words_to_do": 0 } ] } }, { "project_id": "33798957657704d4a65566.19592047", "project_type": "localization_files", "name": "Playground", "description": "You can play around with Lokalise here worry and consequence free!", "created_at": "2023-12-11 12:47:16 (Etc/UTC)", "created_at_timestamp": 1702298836, "created_by": 289639, "created_by_email": "melanie@studocu.com", "team_id": 388386, "base_language_id": 640, "base_language_iso": "en", "settings": { "per_platform_key_names": false, "reviewing": true, "auto_toggle_unverified": true, "offline_translation": false, "key_editing": true, "inline_machine_translations": true, "branching": false, "segmentation": false, "contributor_preview_download_enabled": false, "custom_translation_statuses": false, "custom_translation_statuses_allow_multiple": false }, "statistics": { "progress_total": 99, "keys_total": 4632, "team": 13, "base_words": 29764, "qa_issues_total": 84744, "qa_issues": { "not_reviewed": 64848, "unverified": 807, "spelling_grammar": 17564, "inconsistent_placeholders": 34, "inconsistent_html": 13, "different_number_of_urls": 0, "different_urls": 0, "leading_whitespace": 44, "trailing_whitespace": 1434, "different_number_of_email_address": 0, "different_email_address": 0, "different_brackets": 0, "different_numbers": 0, "double_space": 0, "special_placeholder": 0, "unbalanced_brackets": 0 }, "languages": [ { "language_id": 764, "language_iso": "ca", "progress": 99, "words_to_do": 223 }, { "language_id": 767, "language_iso": "da", "progress": 99, "words_to_do": 229 }, { "language_id": 666, "language_iso": "de", "progress": 99, "words_to_do": 229 }, { "language_id": 640, "language_iso": "en", "progress": 99, "words_to_do": 0 }, { "language_id": 1056, "language_iso": "es", "progress": 99, "words_to_do": 229 }, { "language_id": 768, "language_iso": "fi", "progress": 99, "words_to_do": 218 }, { "language_id": 673, "language_iso": "fr", "progress": 99, "words_to_do": 229 }, { "language_id": 734, "language_iso": "it", "progress": 99, "words_to_do": 234 }, { "language_id": 737, "language_iso": "nl", "progress": 99, "words_to_do": 229 }, { "language_id": 760, "language_iso": "no", "progress": 99, "words_to_do": 229 }, { "language_id": 748, "language_iso": "pl", "progress": 99, "words_to_do": 231 }, { "language_id": 1057, "language_iso": "pt", "progress": 99, "words_to_do": 229 }, { "language_id": 708, "language_iso": "pt_BR", "progress": 99, "words_to_do": 229 }, { "language_id": 754, "language_iso": "sv", "progress": 99, "words_to_do": 229 } ] } }, { "project_id": "5862821065450dbcf0be12.22268464", "project_type": "localization_files", "name": "Studocu (mobile)", "description": "Translations for the React Native mobile application.", "created_at": "2023-11-03 15:11:56 (Etc/UTC)", "created_at_timestamp": 1699024316, "created_by": 289639, "created_by_email": "melanie@studocu.com", "team_id": 388386, "base_language_id": 640, "base_language_iso": "en", "settings": { "per_platform_key_names": false, "reviewing": true, "auto_toggle_unverified": true, "offline_translation": false, "key_editing": true, "inline_machine_translations": true, "branching": false, "segmentation": false, "contributor_preview_download_enabled": false, "custom_translation_statuses": false, "custom_translation_statuses_allow_multiple": false }, "statistics": { "progress_total": 65, "keys_total": 230, "team": 10, "base_words": 817, "qa_issues_total": 3588, "qa_issues": { "not_reviewed": 2049, "unverified": 1320, "spelling_grammar": 204, "inconsistent_placeholders": 0, "inconsistent_html": 0, "different_number_of_urls": 0, "different_urls": 0, "leading_whitespace": 1, "trailing_whitespace": 14, "different_number_of_email_address": 0, "different_email_address": 0, "different_brackets": 0, "different_numbers": 0, "double_space": 0, "special_placeholder": 0, "unbalanced_brackets": 0 }, "languages": [ { "language_id": 764, "language_iso": "ca", "progress": 63, "words_to_do": 299 }, { "language_id": 767, "language_iso": "da", "progress": 63, "words_to_do": 300 }, { "language_id": 666, "language_iso": "de", "progress": 63, "words_to_do": 300 }, { "language_id": 640, "language_iso": "en", "progress": 100, "words_to_do": 0 }, { "language_id": 610, "language_iso": "en_GB", "progress": 61, "words_to_do": 311 }, { "language_id": 1055, "language_iso": "en_US", "progress": 61, "words_to_do": 311 }, { "language_id": 1056, "language_iso": "es", "progress": 63, "words_to_do": 300 }, { "language_id": 768, "language_iso": "fi", "progress": 63, "words_to_do": 300 }, { "language_id": 673, "language_iso": "fr", "progress": 63, "words_to_do": 300 }, { "language_id": 734, "language_iso": "it", "progress": 63, "words_to_do": 300 }, { "language_id": 737, "language_iso": "nl", "progress": 63, "words_to_do": 300 }, { "language_id": 739, "language_iso": "nl_BE", "progress": 61, "words_to_do": 311 }, { "language_id": 760, "language_iso": "no", "progress": 63, "words_to_do": 300 }, { "language_id": 748, "language_iso": "pl", "progress": 63, "words_to_do": 300 }, { "language_id": 1057, "language_iso": "pt", "progress": 63, "words_to_do": 300 }, { "language_id": 708, "language_iso": "pt_BR", "progress": 63, "words_to_do": 300 }, { "language_id": 754, "language_iso": "sv", "progress": 63, "words_to_do": 300 } ] } }, { "project_id": "1637608665ae7338b27372.82645913", "project_type": "localization_files", "name": "Studocu (web)", "description": "", "created_at": "2024-01-22 13:52:56 (Etc/UTC)", "created_at_timestamp": 1705931576, "created_by": 289641, "created_by_email": "fede@studocu.com", "team_id": 388386, "base_language_id": 640, "base_language_iso": "en", "settings": { "per_platform_key_names": false, "reviewing": true, "auto_toggle_unverified": true, "offline_translation": false, "key_editing": true, "inline_machine_translations": true, "branching": false, "segmentation": false, "contributor_preview_download_enabled": false, "custom_translation_statuses": false, "custom_translation_statuses_allow_multiple": false }, "statistics": { "progress_total": 82, "keys_total": 420, "team": 16, "base_words": 3932, "qa_issues_total": 13463, "qa_issues": { "not_reviewed": 7073, "unverified": 4612, "spelling_grammar": 1746, "inconsistent_placeholders": 0, "inconsistent_html": 0, "different_number_of_urls": 0, "different_urls": 0, "leading_whitespace": 0, "trailing_whitespace": 32, "different_number_of_email_address": 0, "different_email_address": 0, "different_brackets": 0, "different_numbers": 0, "double_space": 0, "special_placeholder": 0, "unbalanced_brackets": 0 }, "languages": [ { "language_id": 764, "language_iso": "ca", "progress": 99, "words_to_do": 14 }, { "language_id": 767, "language_iso": "da", "progress": 99, "words_to_do": 14 }, { "language_id": 666, "language_iso": "de", "progress": 99, "words_to_do": 14 }, { "language_id": 640, "language_iso": "en", "progress": 100, "words_to_do": 0 }, { "language_id": 610, "language_iso": "en_GB", "progress": 1, "words_to_do": 3904 }, { "language_id": 1055, "language_iso": "en_US", "progress": 1, "words_to_do": 3904 }, { "language_id": 1056, "language_iso": "es", "progress": 99, "words_to_do": 14 }, { "language_id": 768, "language_iso": "fi", "progress": 99, "words_to_do": 14 }, { "language_id": 673, "language_iso": "fr", "progress": 99, "words_to_do": 14 }, { "language_id": 734, "language_iso": "it", "progress": 99, "words_to_do": 14 }, { "language_id": 737, "language_iso": "nl", "progress": 99, "words_to_do": 14 }, { "language_id": 739, "language_iso": "nl_BE", "progress": 1, "words_to_do": 3904 }, { "language_id": 760, "language_iso": "no", "progress": 99, "words_to_do": 14 }, { "language_id": 748, "language_iso": "pl", "progress": 99, "words_to_do": 14 }, { "language_id": 1057, "language_iso": "pt", "progress": 99, "words_to_do": 14 }, { "language_id": 708, "language_iso": "pt_BR", "progress": 99, "words_to_do": 14 }, { "language_id": 754, "language_iso": "sv", "progress": 99, "words_to_do": 14 } ] } } ] } ```