OWASP LA Monthly Dinner Meeting - February 28, 2018

Topic: Better Git Hacking: extracting “deleted” secrets from Git databases with Grawler
Speaker: Justin Regele, Penetration Tester with Tiro Security

Git is a widely-used Version Control System for software development projects. Because of the way Git works, “deleted” secrets don’t disappear from the filesystem. That means when a developer commits encryption keys, production passwords, or other secrets to the repository, removing them in a later commit won’t scrub them from the history. They live on in compressed plaintext on every developers’ machine, unless the history is rewritten.

Grawler is a command line utility written in Bash and Python that crawls the object trees of a Git repository searching for and extracting secrets, passwords, keys, and other sensitive information. It is useful for verifying that history rewriting successfully scrubbed all occurrences of sensitive data using git-log, as well as exposing problems in revision deltas by walking Pack files. BIO:
Justin Regele works as a Penetration Tester with Tiro Security, as well as a freelance software engineer, doing full stack, mobile and embedded development. His introduction to computer programming came from Herb Schildt’s Teach Yourself C, which he found in a dumpster in 2005.

Sponsor: