Utilize GitHub API to perform commits

Question

Utilize GitHub API to perform commits

AdnaneKhan opened this issue 2 years ago · 3 comments

The gato attack features currently push changes using git commands. Gato will not work against organizations that require SSH certificate authentication for clones and push operations. It is possible to use the GitHub API to create a new branch, commit to that branch, and then delete it. This will bypass the SSH authentication requirement entirely.

Answer 1 · 2023-02-13T22:24:16.000Z

Currently tracked in update/api_only_wf_attack. Confirmed working but not thoroughly tested.

Answer 2 · 2023-05-18T19:21:54.000Z

Feature is in the development branch for enumeration and workflow attack. Fork PR attack still uses git commands.

Answer 3 · 2023-10-12T21:06:40.000Z

After looking at real-world use cases, it does not make sense to use the API to perform the force-push and close technique (which we want to keep). It is a lot of extra work for little since
the log footprint is the same.

Any complex attacks abusing a fork PR are best conducted manually, and this feature is mainly intended to support pentesters wanting to demonstrate impact quickly.