YoVDO

Repo Jacking - How Github Usernames Expose Projects to RCE

Offered By: NorthSec via YouTube

Tags

NorthSec Courses Remote Code Execution (RCE) Courses Dependency Injection Courses Remote Code Execution Courses

Course Description

Overview

Explore a critical security vulnerability affecting over 70,000 open-source projects in this 25-minute conference talk from NorthSec 2021. Dive into 'repo jacking', an obscure supply chain vulnerability that allows attackers to hijack Github repositories and achieve remote code execution through dependency injection. Learn about the vulnerability's causes, exploitation methods, and why it has gone unnoticed for so long. Discover how to scan open-source projects for this vulnerability, build dependency graphs, and understand its full impact. Examine the prevalence of repo jacking across various project types, from small personal games to large web frameworks and cryptocurrency wallets. Gain insights into mitigation strategies to protect your projects from this and other supply chain attacks.

Syllabus

Intro
Open-source Supply Chain Attacks
Repo Jacking
Vulnerable Scenarios
Repository Redirects
GitHub's Response
Mass Analysis
Data Collection
Clean Up
Hijackable Usernames
Dependency Analysis
4. Directly Vulnerable Projects
Key Findings
Remediations


Taught by

NorthSec

Related Courses

I Am Become Loadbalancer, Owner of Your Network
NorthSec via YouTube
The Risks of RDP and How to Mitigate Them
NorthSec via YouTube
Authentication Challenges in SaaS Integration and Cloud Transformation
NorthSec via YouTube
Building CANtact Pro - An Open Source CAN Bus Tool
NorthSec via YouTube
Unmasking the Chameleons of the Criminal Underground
NorthSec via YouTube