GitPhish is an open-source security research tool built to replicate GitHub’s device code authentication flow. It features three core operating modes: an authentication server, automated landing page deployment, and an administrative management interface.
GitPhish can be accessed via a command-line interface or a web dashboard, offering comprehensive features such as logging, analytics, and token management.
“We designed GitPhish explicitly for security teams looking to conduct assessments and build detection capabilities around Device Code Phishing in GitHub. Red teamers can simulate realistic attack scenarios to test organizational resilience, while detection engineers can validate their ability to identify suspicious OAuth flows, unusual GitHub authentication patterns, and potential social engineering attempts,” said Mason Davis, Staff Security Engineer at Praetorian.
Architecture overview
Authentication Server:
- Flask-based HTTPS endpoint with device code flow implementation
- Comprehensive token capture with visitor analytics
- Email allowlisting and access control
- GitHub Pages Deployment Engine
Automated repository creation and Pages configuration:
- Professional template system with multiple presets
- Real-time deployment status monitoring
- Integration with authentication server endpoints
- Administrative Interface
Web-based management dashboard:
- Real-time monitoring and analytics
- Deployment orchestration and control
- Audit logging and reporting
GitPhish is available for free on GitHub.

Must read:

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!

 
			        