Exposed secrets like API keys and other credentials are the crown jewels of organizations but continue to be a persistent vulnerability within security. The majority of security breaches leverage secrets at some point during the attack path. This presentation sheds light on the various methods used by attackers to discover and exploit these secrets in different technologies. This manual will include how to:
Abuse GitHub public API
Gain unauthorized access to private git repos
Decompile containers
Decompile mobile applications from the App and Play Stores
We combine novel research, real-life attack paths, and live demos to prove exactly the steps attackers take, revealing their playbook.

Recent research has shown that git repositories are treasure troves full of secrets. A year-long study showed that 10 million secrets were pushed into public repositories in 2022 alone. We will show exactly how adversaries abuse the public GitHub API to uncover these secrets, even leaking secrets live to show how quickly attackers discover and exploit it. Public source code, however, is only the tip of the iceberg as private code repositories have proven to be much more valuable targets. We will demonstrate how to gain unauthorized access to private git repositories and discover secrets deep in their history. This will include supply chain poisoning, developer phishing, and configuration exploitation among other techniques. Finally, this talk will dive into decompiling containers, packages, and mobile applications to be able to uncover the huge amount of secrets buried within revealing how shockingly common it is to find hard-coded secrets.

Knowing how attackers operate is essential in building effective defenses, understanding the attacker's playbook allows you to understand their next moves. This presentation is perfect for anyone wanting to know how to prevent attackers from getting old of your crown jewels.