-
Notifications
You must be signed in to change notification settings - Fork 23
Expand file tree
/
Copy pathindex.html
More file actions
1718 lines (1616 loc) · 89.4 KB
/
index.html
File metadata and controls
1718 lines (1616 loc) · 89.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>DevOps Attack Surface - Pentester's Guide</title>
<link href="https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500;700&display=swap" rel="stylesheet">
<style>
* {
margin: 0;
padding: 0;
box-sizing: border-box;
}
:root {
--primary: #4d65ff;
--primary-dark: #3d52cc;
--secondary: #8b5cf6;
--accent: #ec4899;
--success: #10b981;
--warning: #f59e0b;
--bg: #0f0a1e;
--card-bg: #1a1333;
--text: #e5e7eb;
--text-secondary: #9ca3af;
--border: #2d2347;
--shadow-sm: 0 2px 4px rgba(0,0,0,0.3);
--shadow-md: 0 4px 8px rgba(0,0,0,0.4);
--shadow-lg: 0 8px 16px rgba(77,101,255,0.2);
}
body {
font-family: 'Roboto', -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
background: var(--bg);
color: var(--text);
line-height: 1.6;
font-weight: 400;
}
.header {
background: var(--card-bg);
border-bottom: 1px solid var(--border);
padding: 24px 0;
position: sticky;
top: 0;
z-index: 100;
box-shadow: var(--shadow-md);
}
.header-content {
max-width: 1200px;
margin: 0 auto;
padding: 0 24px;
}
.header h1 {
font-size: 28px;
font-weight: 500;
color: var(--text);
margin-bottom: 8px;
}
.header p {
font-size: 14px;
color: var(--text-secondary);
font-weight: 300;
}
.container {
max-width: 1200px;
margin: 0 auto;
padding: 32px 24px;
}
.info-banner {
background: linear-gradient(135deg, #4d65ff 0%, #8b5cf6 100%);
color: white;
padding: 24px;
border-radius: 8px;
margin-bottom: 32px;
box-shadow: var(--shadow-lg);
border: 1px solid rgba(77, 101, 255, 0.3);
}
.info-banner h2 {
font-size: 18px;
font-weight: 500;
margin-bottom: 12px;
}
.info-banner p {
font-size: 14px;
line-height: 1.6;
opacity: 0.95;
font-weight: 300;
}
.credits {
background: rgba(255,255,255,0.15);
padding: 16px;
border-radius: 6px;
margin-top: 16px;
font-size: 13px;
border-left: 3px solid rgba(255,255,255,0.5);
}
.search-card {
background: var(--card-bg);
padding: 24px;
border-radius: 8px;
margin-bottom: 24px;
box-shadow: var(--shadow-md);
border: 1px solid var(--border);
}
.search-box {
width: 100%;
padding: 14px 16px;
font-size: 15px;
font-family: 'Roboto', sans-serif;
border: 1px solid var(--border);
border-radius: 6px;
outline: none;
transition: all 0.2s;
background: var(--bg);
color: var(--text);
}
.search-box:focus {
border-color: var(--primary);
background: var(--bg);
box-shadow: 0 0 0 3px rgba(77, 101, 255, 0.3);
}
.stats {
display: flex;
gap: 16px;
margin-top: 16px;
font-size: 13px;
color: var(--text-secondary);
flex-wrap: wrap;
}
.controls {
display: flex;
gap: 12px;
margin-bottom: 24px;
flex-wrap: wrap;
}
.btn {
padding: 10px 20px;
background: var(--card-bg);
color: var(--text);
border: 1px solid var(--border);
border-radius: 6px;
cursor: pointer;
font-size: 14px;
font-family: 'Roboto', sans-serif;
font-weight: 500;
transition: all 0.2s;
box-shadow: var(--shadow-sm);
}
.btn:hover {
background: var(--bg);
box-shadow: var(--shadow-md);
border-color: var(--primary);
}
.btn.primary {
background: var(--primary);
color: white;
border-color: var(--primary);
}
.btn.primary:hover {
background: var(--primary-dark);
border-color: var(--primary-dark);
}
.category {
background: var(--card-bg);
margin-bottom: 24px;
border-radius: 8px;
overflow: hidden;
box-shadow: var(--shadow-md);
border: 1px solid var(--border);
transition: all 0.3s;
}
.category.hidden {
display: none;
}
.category-header {
background: var(--card-bg);
padding: 20px 24px;
cursor: pointer;
display: flex;
justify-content: space-between;
align-items: center;
user-select: none;
border-bottom: 1px solid var(--border);
transition: background 0.2s;
}
.category-header:hover {
background: rgba(77, 101, 255, 0.1);
}
.category-title {
display: flex;
align-items: center;
gap: 12px;
}
.category-title h2 {
font-size: 18px;
font-weight: 500;
color: var(--text);
}
.category-icon {
font-size: 24px;
}
.tool-count {
background: var(--bg);
padding: 4px 12px;
border-radius: 12px;
font-size: 12px;
font-weight: 500;
color: var(--text-secondary);
}
.toggle-icon {
transition: transform 0.3s;
font-size: 20px;
color: var(--text-secondary);
}
.category.collapsed .toggle-icon {
transform: rotate(-90deg);
}
.category-content {
padding: 24px;
max-height: 5000px;
overflow: hidden;
transition: max-height 0.3s ease-out, padding 0.3s;
background: var(--bg);
}
.category.collapsed .category-content {
max-height: 0;
padding: 0 24px;
}
.category-description {
margin-bottom: 24px;
padding: 16px;
background: var(--card-bg);
border-radius: 6px;
font-size: 14px;
color: var(--text-secondary);
line-height: 1.6;
border-left: 3px solid var(--primary);
}
.tools-grid {
display: grid;
grid-template-columns: repeat(auto-fill, minmax(320px, 1fr));
gap: 16px;
}
.tool-card {
background: rgba(26, 19, 51, 0.6);
padding: 20px;
border-radius: 6px;
border: 1px solid var(--border);
cursor: pointer;
transition: all 0.2s;
}
.tool-card.hidden {
display: none;
}
.tool-card:hover {
box-shadow: var(--shadow-lg);
transform: translateY(-2px);
border-color: var(--primary);
background: rgba(77, 101, 255, 0.1);
}
.tool-card.expanded {
grid-column: 1 / -1;
}
.tool-name {
font-weight: 500;
font-size: 16px;
color: var(--text);
margin-bottom: 8px;
display: flex;
align-items: center;
gap: 8px;
}
.tool-name::before {
content: '';
width: 4px;
height: 16px;
background: var(--primary);
border-radius: 2px;
}
.tool-description {
font-size: 13px;
color: var(--text-secondary);
line-height: 1.5;
display: none;
margin-bottom: 16px;
}
.tool-card.expanded .tool-description {
display: block;
}
.attack-vectors {
display: none;
margin-top: 16px;
padding-top: 16px;
border-top: 1px solid var(--border);
}
.tool-card.expanded .attack-vectors {
display: block;
}
.attack-vectors h4 {
font-size: 13px;
font-weight: 500;
color: var(--accent);
margin-bottom: 12px;
text-transform: uppercase;
letter-spacing: 0.5px;
}
.attack-vectors ul {
margin-left: 20px;
font-size: 13px;
}
.attack-vectors li {
margin: 8px 0;
color: var(--text);
line-height: 1.5;
}
.default-creds {
display: none;
background: rgba(245, 158, 11, 0.15);
padding: 12px 16px;
border-radius: 6px;
margin-top: 12px;
font-size: 13px;
border-left: 3px solid var(--warning);
}
.tool-card.expanded .default-creds {
display: block;
}
.default-creds strong {
color: var(--text);
}
.warning-note {
background: rgba(245, 158, 11, 0.15);
border-left: 3px solid var(--warning);
padding: 16px 20px;
border-radius: 6px;
margin-bottom: 24px;
font-size: 14px;
}
.warning-note strong {
color: var(--text);
}
.resources-section {
background: var(--card-bg);
padding: 24px;
border-radius: 8px;
margin-bottom: 24px;
box-shadow: var(--shadow-md);
border: 1px solid var(--border);
}
.resources-section h3 {
font-size: 18px;
font-weight: 500;
margin-bottom: 20px;
color: var(--text);
}
.resources-section h4 {
font-size: 15px;
font-weight: 500;
margin-top: 24px;
margin-bottom: 12px;
color: var(--primary);
}
.resources-section ul {
margin-left: 20px;
font-size: 14px;
}
.resources-section li {
margin: 8px 0;
line-height: 1.6;
}
.resources-section p {
font-size: 14px;
line-height: 1.6;
margin-bottom: 12px;
color: var(--text-secondary);
}
.resources-section a {
color: var(--primary);
text-decoration: none;
transition: color 0.2s;
}
.resources-section a:hover {
color: var(--primary-dark);
text-decoration: underline;
}
.footer {
background: var(--card-bg);
padding: 24px;
border-radius: 8px;
margin-top: 32px;
text-align: center;
color: var(--text-secondary);
box-shadow: var(--shadow-md);
border: 1px solid var(--border);
font-size: 13px;
}
.toast {
position: fixed;
bottom: 24px;
right: 24px;
background: var(--text);
color: white;
padding: 12px 20px;
border-radius: 6px;
box-shadow: var(--shadow-lg);
opacity: 0;
transform: translateY(20px);
transition: all 0.3s;
z-index: 1000;
font-size: 14px;
}
.toast.show {
opacity: 1;
transform: translateY(0);
}
@media (max-width: 768px) {
.header h1 {
font-size: 22px;
}
.tools-grid {
grid-template-columns: 1fr;
}
.stats {
flex-direction: column;
gap: 8px;
}
.controls {
flex-direction: column;
}
.btn {
width: 100%;
}
}
</style>
</head>
<body>
<div class="header">
<div class="header-content">
<h1> DevOps Pipeline Attack Surface</h1>
<p>Interactive reference guide for penetration testing DevOps environments</p>
</div>
</div>
<div class="container">
<div class="info-banner">
<h2>Why Target DevOps?</h2>
<p>
DevOps platforms are target-rich environments with high-level permissions for managing credentials, creating infrastructure,
configuring systems, building code, and deploying applications to production. In a security landscape that places heavy scrutiny
on the endpoint, DevOps systems provide an opportunity to <strong>live off the land</strong> and escalate privileges while
maintaining operational security.
</p>
<div class="credits">
<strong>Credits:</strong> Big love to <strong>Tom and Colbert from Accenture (formerly FusionX)</strong> for chopping game about this!
</div>
</div>
<div class="search-card">
<input type="text" id="searchBox" class="search-box" placeholder=" Search tools, attack vectors, or categories...">
<div class="stats">
<span id="visibleCount">Loading...</span>
<span>•</span>
<span id="toolCount"></span>
<span>•</span>
<span>Click any tool card to expand attack details</span>
</div>
</div>
<div class="controls">
<button class="btn primary" onclick="expandAllCategories()">Expand All Categories</button>
<button class="btn" onclick="collapseAllCategories()">Collapse All Categories</button>
<button class="btn primary" onclick="expandAllTools()">Expand All Tools</button>
<button class="btn" onclick="collapseAllTools()">Collapse All Tools</button>
</div>
<div id="categories"></div>
<div class="resources-section">
<h3>Additional Info</h3>
<h4>Key Takeaways</h4>
<ul>
<li><strong>New Attack Surface Perspective:</strong> Understanding DevOps & CI/CD pipelines from offensive and defensive viewpoints</li>
<li><strong>Targeted Reconnaissance:</strong> OPSEC-conscious privilege escalation, lateral movement, and RCE techniques</li>
<li><strong>Modern Red Teaming:</strong> No-install, browser-based attacks that focus on business logic abuse vs. implants/EDR bypasses</li>
</ul>
<h4>Target Audience</h4>
<p><strong>Beginner/Intermediate Level</strong> - Offensive and defensive security practitioners:</p>
<ul style="columns: 2; -webkit-columns: 2; -moz-columns: 2;">
<li>Red Team Operators</li>
<li>Penetration Testers</li>
<li>Application Security Specialists</li>
<li>Incident Responders</li>
<li>SOC/SIEM Analysts</li>
<li>Threat Hunters</li>
<li>Software Engineers</li>
<li>SREs & Cloud Admins</li>
</ul>
<h4>Additional Resources</h4>
<ul>
<li><a href="https://owasp.org/www-project-devsecops-guideline/" target="_blank">OWASP DevSecOps Guidelines</a></li>
<li><a href="https://github.com/TupleType/DevOops" target="_blank">DevOops - DevOps Security Testing Framework</a></li>
<li><a href="https://www.cidersecurity.io/top-10-ci-cd-security-risks/" target="_blank">Top 10 CI/CD Security Risks</a></li>
<li><a href="https://github.com/hahwul/DevSecOps" target="_blank">DevSecOps Resources Collection</a></li>
</ul>
</div>
</div>
<div id="toast" class="toast"></div>
<script>
const devOpsTools = [
{
category: "Knowledge Bases",
icon: "",
description: "Documentation and knowledge management platforms often containing sensitive information, credentials, and architecture details.",
tools: [
{
name: "SharePoint",
description: "Microsoft's enterprise content management platform. Often contains sensitive documentation, credentials in documents, and architecture diagrams.",
attackVectors: [
"Search for exposed credentials in documents",
"Enumerate user lists via API",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2025-53770' target='_blank'>CVE-2025-53770</a> (CVSS 9.8) - Critical vulnerability in SharePoint Server",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2025-49706' target='_blank'>CVE-2025-49706</a>, <a href='https://nvd.nist.gov/vuln/detail/CVE-2025-49704' target='_blank'>CVE-2025-49704</a> - ToolShell vulnerabilities for RCE",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2023-29357' target='_blank'>CVE-2023-29357</a> - JWT spoofing and privilege escalation",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2023-24955' target='_blank'>CVE-2023-24955</a> - Remote code execution vulnerability",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-21318' target='_blank'>CVE-2024-21318</a> - Authenticated remote code execution",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-0604' target='_blank'>CVE-2019-0604</a> - Deserialization RCE in SharePoint",
"Anonymous access misconfiguration - check guest access policies",
"API misconfigurations allowing data exfiltration",
"Access control bypass via crafted URLs",
"Extract metadata from documents",
"Look for .aspx shells if write access obtained"
],
defaultCreds: "Check for default admin accounts or service accounts"
},
{
name: "Confluence",
description: "Atlassian's wiki and collaboration platform. Treasure trove of architecture docs, passwords, and API keys.",
attackVectors: [
"Search for 'password', 'api key', 'secret', 'token' in content",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2023-22527' target='_blank'>CVE-2023-22527</a> (CVSS 10.0) - OGNL injection pre-auth RCE (CRITICAL)",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2023-22515' target='_blank'>CVE-2023-22515</a> - Privilege escalation via anonymous access",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-26134' target='_blank'>CVE-2022-26134</a> - OGNL injection RCE in Webwork",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2021-26084' target='_blank'>CVE-2021-26084</a> - OGNL injection vulnerability",
"Anonymous access misconfiguration - check space permissions",
"Permission bypass via direct object references",
"REST API enumeration without authentication",
"Extract attachments with credentials",
"Enumerate users and groups via /rest/api/user/search",
"Exported space archives containing sensitive data",
"Webwork OGNL injection for RCE"
],
defaultCreds: "admin:admin (old versions)"
},
{
name: "MediaWiki",
description: "Open-source wiki software. Can expose sensitive internal documentation.",
attackVectors: [
"Check Special:Version for software versions",
"Enumerate users via API (api.php?action=query&list=allusers)",
"Search page history for removed secrets",
"XSS vulnerabilities in various extensions and core",
"Permission bypass via special page access",
"File upload restrictions bypass - check for SVG, HTML uploads",
"SQL injection in older versions (pre-1.19)",
"Access restrictions bypass via direct file access",
"API abuse for content enumeration",
"Extension vulnerabilities (check installed extensions)"
],
defaultCreds: "Check for weak admin passwords"
},
{
name: "DokuWiki",
description: "Simple wiki system. Often misconfigured with public access.",
attackVectors: [
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-42758' target='_blank'>CVE-2024-42758</a> - XSS vulnerability in indexmenu plugin",
"Stored XSS via SVG file uploads",
"Directory traversal vulnerabilities",
"Arbitrary file disclosure via ../../../ in URLs",
"Authentication bypass in older versions",
"Check data/pages/ for raw wiki content if exposed",
"ACL misconfiguration - default world-readable pages",
"Plugin vulnerabilities (100+ plugins available)",
"Remote file inclusion in templates"
],
defaultCreds: "Initial setup may have weak passwords"
},
{
name: "Notion",
description: "Modern workspace and documentation tool. Cloud-based, often shared publicly.",
attackVectors: [
"Enumerate publicly shared pages",
"Google dorking for exposed Notion pages",
"API token extraction from integrations",
"Check for overshared workspaces",
"Leaked workspace URLs in GitHub"
]
},
{
name: "TikiWiki",
description: "Full-featured wiki and CMS. Complex with many features and attack surfaces.",
attackVectors: [
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2020-15906' target='_blank'>CVE-2020-15906</a> (CVSS 9.3) - Authentication bypass vulnerability",
"File upload vulnerabilities leading to RCE",
"Unrestricted file upload via file gallery",
"SQL injection (historical issues in search and filters)",
"Authentication bypass via parameter manipulation",
"XSS in various modules (wiki pages, forums, blogs)",
"CSRF leading to code execution",
"PHP code injection via template system",
"Shell upload via file gallery with .php/.phtml extensions"
]
},
{
name: "Wiki.js",
description: "Modern, lightweight wiki built on Node.js. Growing in popularity.",
attackVectors: [
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-34710' target='_blank'>CVE-2024-34710</a> - Client-side template injection vulnerability",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-23654' target='_blank'>CVE-2022-23654</a> - Path prediction leading to RCE",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-1681' target='_blank'>CVE-2022-1681</a> - Authentication bypass vulnerability",
"GraphQL API enumeration via /graphql endpoint",
"JWT token manipulation and signature bypass",
"Check for exposed GraphQL playground at /graphql",
"Authentication bypass via API direct access",
"File upload vulnerabilities in asset management",
"Server-side template injection in Markdown renderer",
"Authorization bypass via GraphQL mutations"
],
defaultCreds: "admin@example.com:admin (initial setup)"
}
]
},
{
category: "Dev & Project Management",
icon: "",
description: "Project tracking and management tools containing sprint info, user stories, and often credentials in tickets.",
tools: [
{
name: "Jira",
description: "Atlassian's issue tracking and project management. Gold mine for credentials, API keys, and internal info.",
attackVectors: [
"Search for 'password', 'credentials', 'token', 'api key' in tickets",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2023-22501' target='_blank'>CVE-2023-22501</a> (CVSS 9.4) - Authentication bypass in Jira Service Management",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2023-22523' target='_blank'>CVE-2023-22523</a> - RCE in Assets Discovery agent",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-8451' target='_blank'>CVE-2019-8451</a> - SSRF in Gadgets Servlet",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-8449' target='_blank'>CVE-2019-8449</a> - User enumeration via GroupUserPicker API",
"Template injection RCE at /secure/ContactAdministrators!default.jspa",
"Dashboard/filter permission misconfiguration - check for public visibility",
"User enumeration via /secure/ViewUserHover.jspa",
"Information disclosure via /secure/Dashboard.jspa",
"User picker disclosure at /secure/popups/UserPickerBrowser.jspa",
"Public filters at /secure/ManageFilters.jspa?filterView=popular",
"Extract attachments with secrets",
"JQL injection for data extraction",
"SSRF in OAuth plugin and Mobile Plugin"
],
defaultCreds: "admin:admin (fresh installs)"
},
{
name: "Trello",
description: "Kanban-style project management. Often has public boards with sensitive info.",
attackVectors: [
"2024 API breach - Unsecured REST API exposed 15M users",
"Unauthenticated API enumeration - board discovery via email",
"XSS vulnerability (OBB-593048) in trello.com",
"Improper access control (OBB-632913)",
"Enumerate public boards via company name using Google dorking",
"API key extraction from browser/mobile apps",
"OAuth token theft",
"Public board information disclosure - check board visibility settings",
"Search for credentials in card descriptions and attachments",
"Webhook manipulation for data exfiltration",
"API abuse for user email to username association"
]
},
{
name: "Redmine",
description: "Open-source project management. Can contain sensitive project data.",
attackVectors: [
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2023-47259' target='_blank'>CVE-2023-47259</a>, <a href='https://nvd.nist.gov/vuln/detail/CVE-2023-47260' target='_blank'>CVE-2023-47260</a>, <a href='https://nvd.nist.gov/vuln/detail/CVE-2023-47258' target='_blank'>CVE-2023-47258</a> - XSS vulnerabilities",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-44637' target='_blank'>CVE-2022-44637</a> - Persistent XSS in Textile formatter",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-44030' target='_blank'>CVE-2022-44030</a> - File download permission bypass (any Issue/Wiki attachment)",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-18890' target='_blank'>CVE-2019-18890</a> - SQL injection in older versions (pre-3.3.10)",
"File upload bypass - circumvent allowed filename extensions",
"XSS via thumbnails, Textile formatter, and Markdown formatter",
"Default credentials on fresh installs",
"API key enumeration via /users.json",
"Repository browser for code access without auth",
"Insufficient permission checks on attachments"
],
defaultCreds: "admin:admin"
}
]
},
{
category: "Source Code Management (SCM)",
icon: "",
description: "Version control systems - the crown jewels. Source code, commit history, and often hardcoded secrets.",
tools: [
{
name: "Git",
description: "Distributed version control. Exposed .git directories are a goldmine.",
attackVectors: [
"Exposed .git directories (/.git/) - check for 403 vs 404",
"git-dumper for recursive .git extraction (10x faster than original)",
"GitHacker - complete repo restoration including stash and tags",
"Search commit history for secrets (git log -p)",
"Check .git/config for remote URLs with hardcoded credentials",
"Extract credentials from reflog and stash",
"Search for removed secrets in commit history",
"truffleHog / GitLeaks / Gitleaks for secret scanning",
"API keys, AWS keys, passwords in commit messages",
"Developer emails and usernames from git log",
"Static code analysis on extracted source",
"Forced browsing with dirsearch/dirb to find .git"
]
},
{
name: "GitHub",
description: "Cloud-based Git hosting. API access, actions, and secrets management.",
attackVectors: [
"GitHub dorking for exposed credentials",
"Enumerate repositories via API",
"GitHub Actions pull_request_target misconfiguration - execute untrusted code",
"GitHub Actions workflow_run privilege escalation",
"Script injection via unsanitized PR/issue data in workflows",
"Secrets exfiltration via workflow manipulation",
"Artifact poisoning during workflow transfers",
"Self-hosted runner compromise",
"GITHUB_TOKEN abuse for lateral movement",
"Personal Access Token (PAT) abuse",
"SSH key extraction from commits",
"GitHub Pages misconfigurations",
"OAuth app token theft",
"Branch protection bypass",
"Code search for API keys, passwords"
]
},
{
name: "GitLab",
description: "Self-hosted Git platform with CI/CD. Often contains sensitive CI variables.",
attackVectors: [
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2025-25291' target='_blank'>CVE-2025-25291</a> & <a href='https://nvd.nist.gov/vuln/detail/CVE-2025-25292' target='_blank'>CVE-2025-25292</a> (CRITICAL) - SAML authentication bypass",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2025-27407' target='_blank'>CVE-2025-27407</a> (CVSS 9.0) - RCE via Ruby graphql library",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-6385' target='_blank'>CVE-2024-6385</a> - Authentication bypass vulnerability",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2023-7028' target='_blank'>CVE-2023-7028</a> - Account takeover vulnerability",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-2884' target='_blank'>CVE-2022-2884</a> - Authenticated RCE via GitHub import API",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2021-22205' target='_blank'>CVE-2021-22205</a> (CVSS 10.0) - Pre-auth RCE via ExifTool",
"CI/CD variable extraction from .gitlab-ci.yml",
"API token enumeration",
"Repository enumeration",
"GitLab Runner token abuse",
"SSRF via import features",
"Arbitrary file read vulnerabilities",
"Container registry credential theft",
"Pipeline secrets extraction",
"Job artifacts containing secrets"
],
defaultCreds: "root:password (initial setup)"
},
{
name: "Bitbucket",
description: "Atlassian's Git solution. Integrated with Jira and other Atlassian products.",
attackVectors: [
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-36804' target='_blank'>CVE-2022-36804</a> (CVSS 9.8) - Command injection via git --exec argument",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-43401' target='_blank'>CVE-2022-43401</a> (CRITICAL) - Command injection via username manipulation",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-38819' target='_blank'>CVE-2024-38819</a> (CVSS 7.5) - Path traversal via Spring WebMVC",
"Servlet filter bypass (pre-auth) - affects versions before 7.6.16",
"Command injection in API endpoints (requires read access)",
"API key extraction",
"Repository enumeration",
"Pipeline variable extraction",
"SSH key harvesting from commits",
"Webhook manipulation for data exfiltration",
"Branch permission bypass",
"Public repository access abuse"
]
},
{
name: "Subversion (SVN)",
description: "Centralized version control. Less common but still used in legacy systems.",
attackVectors: [
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-45720' target='_blank'>CVE-2024-45720</a> (CVSS 8.2) - Windows command injection via character encoding",
"Exposed .svn directories",
"SVN enumeration tools (svn-extractor)",
"Unauthenticated repository access",
"Commit log analysis for secrets",
"WebDAV vulnerabilities if exposed via mod_dav_svn",
"Filename control character validation bypass"
]
},
{
name: "CVS",
description: "Legacy version control. Rarely seen but occasionally encountered.",
attackVectors: [
"Exposed CVS repositories",
"Unauthenticated access",
"CVS pserver vulnerabilities",
"Historical data extraction"
]
},
{
name: "Azure DevOps Server",
description: "Microsoft's DevOps platform. Includes repos, pipelines, artifacts.",
attackVectors: [
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2025-29813' target='_blank'>CVE-2025-29813</a> (CVSS 10.0) - Privilege escalation over network (CRITICAL)",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-20667' target='_blank'>CVE-2024-20667</a> - RCE with Queue Build permissions in pipelines",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2023-36561' target='_blank'>CVE-2023-36561</a> - Pipeline secrets and elevated permissions access",
"SSRF vulnerabilities including CRLF injection and DNS rebinding",
"Azure Service Tags firewall bypass",
"Personal Access Token (PAT) abuse",
"Pipeline secrets extraction",
"Service connection credentials theft",
"API enumeration",
"Build variable extraction",
"Azure DevOps Services API abuse",
"Repository enumeration",
"Zero-click CI/CD vulnerabilities"
]
}
]
},
{
category: "Repository Management",
icon: "",
description: "Artifact and package repositories. Can contain backdoored packages, credentials, and sensitive binaries.",
tools: [
{
name: "Artifactory",
description: "JFrog's universal artifact repository. Stores builds, dependencies, Docker images.",
attackVectors: [
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2022-0668' target='_blank'>CVE-2022-0668</a> (CVSS 9.8) - Authentication bypass leading to privilege escalation",
"Insecure deserialization RCE (versions < 7.36.1/6.23.41)",
"Arbitrary file write leading to RCE (versions < 7.76.2)",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-19937' target='_blank'>CVE-2019-19937</a> - SSRF vulnerability",
"Zip Slip vulnerability - arbitrary file write via archive extraction",
"Anonymous access misconfiguration - check admin panel settings",
"Anonymous deploy access - test with curl deploy=true",
"API key extraction from environment variables",
"Default credentials (admin:password)",
"Docker registry credential theft",
"Artifact upload for supply chain attacks",
"Repository enumeration without authentication",
"Backup file access (.backup files)",
"Proprietary software artifact download from exposed instances"
],
defaultCreds: "admin:password"
},
{
name: "Nexus",
description: "Sonatype's repository manager. Manages Maven, npm, Docker, and more.",
attackVectors: [
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-5082' target='_blank'>CVE-2024-5082</a> - RCE via malicious Maven artifact (Nexus 2.x up to 2.15.1)",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-5083' target='_blank'>CVE-2024-5083</a> - Stored XSS via Maven artifact payloads",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-4956' target='_blank'>CVE-2024-4956</a> - Path traversal (unauthenticated file disclosure, versions < 3.68.1)",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-5764' target='_blank'>CVE-2024-5764</a> - Static hard-coded encryption passphrase (versions < 3.73.0)",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2020-10199' target='_blank'>CVE-2020-10199</a> - JavaEL injection RCE",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-7238' target='_blank'>CVE-2019-7238</a> - RCE in versions < 3.15.0",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-9629' target='_blank'>CVE-2019-9629</a> - Default credentials (admin:admin123)",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2019-9630' target='_blank'>CVE-2019-9630</a> - Unauthenticated read permissions on repositories",
"Default credentials (admin:admin123)",
"Anonymous repository access misconfiguration",
"API token extraction",
"Malicious package upload for supply chain attacks",
"Docker registry credential access",
"NPM package hijacking and typosquatting",
"Repository enumeration without authentication",
"Private artifact exposure"
],
defaultCreds: "admin:admin123"
},
{
name: "AWS Package Manager",
description: "AWS CodeArtifact for package management in AWS.",
attackVectors: [
"IAM policy misconfiguration leading to privilege escalation",
"IAM user permission to create new policy versions for admin access",
"Compromised credentials with CodeArtifact access",
"Package repository enumeration via API",
"Supply chain attacks via malicious package injection",
"AWS API key extraction (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)",
"Cross-account repository access misconfigurations",
"Resource-based policy exploitation",
"Vulnerable dependency hosting without scanning",
"EventBridge/Lambda bypass for malicious package upload"
]
},
{
name: "Cloudsmith",
description: "Cloud-native package management. Multi-format support.",
attackVectors: [
"API key extraction from CI/CD pipelines",
"Repository enumeration without authentication",
"Package upload for supply chain attacks (npm, Docker, Python, Maven)",
"Public repository exposure - check visibility settings",
"Webhook manipulation for data exfiltration",
"Malicious package upload (90+ missed CVEs in Docker containers)",
"SBOM metadata-only scanning bypass",
"Missing SAST/secrets detection in scans",
"Security misconfiguration detection gaps",
"CVE prioritization absence leading to alert fatigue",
"npm credential harvesting (GITHUB_TOKEN, NPM_TOKEN)",
"CI/CD workflow injection for credential exfiltration",
"Self-propagating malware in packages (Shai-Hulud attacks)"
]
}
]
},
{
category: "Build Servers",
icon: "",
description: "CI/CD build platforms. Critical targets - compromise here = code execution in production pipeline.",
tools: [
{
name: "Jenkins",
description: "Most popular CI/CD server. Highly extensible, often misconfigured. High-value target.",
attackVectors: [
"Unauthenticated access (no security configured)",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-23897' target='_blank'>CVE-2024-23897</a> (CVSS 9.8) - <a href='https://www.jenkins.io/security/advisory/2024-01-24/' target='_blank'>Arbitrary file leak to RCE</a>",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-23898' target='_blank'>CVE-2024-23898</a> - WebSocket hijacking (CSWSH)",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2024-43044' target='_blank'>CVE-2024-43044</a> - RCE in Jenkins agents",
"<a href='https://nvd.nist.gov/vuln/detail/CVE-2025-53652' target='_blank'>CVE-2025-53652</a> - RCE affecting 15k+ servers with security off",
"Script console RCE (if authenticated) - <a href='https://blog.pentesteracademy.com/abusing-jenkins-groovy-script-console-to-get-shell-98b951fa64a6' target='_blank'>Groovy reverse shells</a>",
"Groovy script injection via /script endpoint",
"Allow users to sign up misconfiguration",
"Anonymous read permission misconfiguration",
"Credentials plugin extraction",
"Build job manipulation",
"Pipeline code injection",
"Plugin vulnerabilities (1000+ plugins)",