Pastebin and its many clones have been around since 2002. During the 11 years of their evolution, we have observed the change from its original purpose of sharing of code snippets to an anonymous dead drop for hackers. The latest one being a “hacker” disclosing SQLi vulnabilities in .mil, .gov, .un.org domains (http://pastebin.com/Cpgp9jHE) An obvious skiddie cry for attention, but dangerous none the less. But these days, Pastebin are far more vigilant about removing posts that contain hacked system information or credentials. So most of the sensitive information is taken down before the story hits Slashdot. While this is a good thing when protecting your enterprise, it doesn’t stop developers posting noteworthy code snippets and comments.
I’ve found Pastebin and its clones useful for two security related activities:
- when red teaming, these repositories are a useful source of intelligence and in extreme cases may even allow you to find and exploit vulnerabilities in your code.
- as a defender of the enterprise, searching these repositories for either stolen information or attack plans.
While the lack of search engine indexing and limited search functionaltiy of Pastebin reduces its effectiveness as a reconnaissance tool, there are still gems to be uncovered. The simplest way to abuse it is to search for the domain name of your target using the website search function. e.g. ionize.com.au. The Pastebin API allows you to search based on username and search results can be manipulated within a script so you whittle down your search results.
But although Pastebin is the market leader, don’t forget there are a few clones that are worth searching as well. Some of these clones have been adopted by particular industries for whatever reason. Some of the more useful repositories (to a pen-tester) are:
- http://pastie.org (allows Google to index its content so the search function is Google)
- https://gist.github.com (you must sign up [free] in order to use the search function)
Other code snippet repositories have seen the danger of allowing searches of pastes and no longer offer search functionality. However, with a little digging I’m sure you’ll find one with search functionality or an API could be exposed.
So what’s the morale of this story?
1) Make your developers aware that code snippets stored on these sites are accessible to anyone, and they provide very useful intel about the development activities of your organisation.
2) Setup a daily search of these repositories for information concerning your organisation, so you can respond before Slashdot does.
I’m sure there are even more ideas for the use and abuse of Pastebin, et al, that I haven’t thought of, and I’d love to hear them!