Get Git credentials from URL | by Teri Radichel | Cloud Security | October 2023


ACM.267 Attempting to use Git Credential Helper cache option in Lambda does not work – alternative solution

Part of my series on Automation of cybersecurity measures. Lambda. AppSec. security code. Git Security. Deploy a static website. THE Coded.

Free content on Cybersecurity Jobs | Register at Broadcast list

In the last article I talked about parsing Lambda functions and ensuring they meet a particular character set requirement to help prevent injection attacks such as cross-site scripting (XSS) .

In this article, I’m going to stop using the URL for Git credentials and instead use the Git Credentials Helper. I wrote about using git credentials aided by caching variables to ensure they are not stored on disk and why this is my preferred option here:

Before trying to remove credentials from the URL, I wanted to consider the risk we are mitigating here.

Where could someone see our credentials if they are in the URL?

At first glance, I don’t see anywhere in the AWS console where this URL is saved. This is because I removed all declarations that would echo the URL in these logs. This is the kind of thing QA professionals and penetration testers should be checking for. Ensures that developers do not write sensitive data to log files or where values ​​can be stored and read by unauthorized parties.

Where else could someone see these credentials in a URL? If we were to use a browser to access this URL, we would have a number of different risks to consider. But if the git application uses TLS correctly, the request should be end-to-end encrypted, including the credentials in the URL. One risk, besides where you might log the URL in your Lambda function, would be any logging of the URL by GitHub. I assume these logs are correctly…

Leave a comment