About a month ago, it was one of those nights where the sleepless programmer wakes up inside you and you simply know that something good is going to happen. The trigger that night, was stumbling on a public gist that had the login credentials of a WordPress site inside.. What the *, right? This could be just an isolated incident, I thought; who would put sensitive information like that in public Gists knowing they are.. Ehh.. public?

But.. The sleepless programmer had already woken up and started drawing the attack plan!

And GISTBOT was born:

image

GISTBOT is a smart bot that watches the GitHub Gist feed and gives you the power to find repositories that interest you in real time.

From my experience in creating other poc (Proof of Concept) apps you need to be efficient. This means you don’t have to add all those fancy features you have in mind, yeah I know it’s hard, you just need the very very basic test case that will, of course, help you prove your concept.

For my case, it was building a Crawler that would use the GitHub API, which by the way allows 5000 calls per IP/hour to fetch and analyze publicly available Gists. The very essential features for GISTBOT were to be able choose the file type of the gist and provide a smart way to filter all that data.

Filter data? I don’t know about you but the first thing that comes to my mind is Regular Expressions. The crawler is configured to read all the regex from a file and test them on the Gists. So touch regex.txt and let the games begin :)

The only thing left is imagination!

How great this tool can be is up to the user, really, but playing it right there is definitely great potential.

It’s been running for almost one month now with 7 interesting regex patterns and it has returned ~1500 matches. There are, for sure, a lot of false positives in there but it simply doesn’t matter since you get a lot of good stuff also :)

I am very impressed with the results but at the same time disappointed at the fellow programmers that despite all the warnings about having sensitive information in public places still choose to ignore them..

P.S. Although this app’s primary goal is Gray Hat Warfare, you can also use it to watch out for other stuff, like let’s say the use of a plugin for a specific programming language you use.