Navigating Telegram’s Underworld: A Cipher for the Elite Hackers

In the encrypted depths of Telegram, far beyond the scrutiny of average netizens, lies a network pulsating with the lifeblood of the hacking elite. This isn’t your run-of-the-mill tutorial or a hacker’s 101 guide. This post is a deep dive into the abyss, mapping the veins of active and dormant channels that are the backbone of cyber threat intelligence and underground hacking operations.

The channels we’re dissecting today are not just communication lines; they are the hidden layers of the onion, each peel revealing more about the dark arts of digital dominance. From active dens where real-time data breaches, exploit trades, and botnet controls unfold, to the ghostly silence of channels once alive with the chatter of codes and hacks now lying dormant or expired - every link, every channel, serves as a node in the vast neural network of the global hacking community.

Active Channels: The Frontlines

Here, in the buzzing hive of active channels, you're as likely to find a zero-day exploit as you are a discussion on the latest evasion techniques. This isn't just about sharing tools or data; it's a relentless innovation race. Techniques, scripts, and methodologies discussed here are not for the faint-hearted but for those who command the terminal like it’s an extension of their mind.

Dormant/Expired Channels: The Archives

The silent corridors of expired channels are not just digital tombs; they are treasure troves of past operations, a testament to the ephemeral nature of digital power. Each one holds lessons, failures, and victories. They are the archives for those willing to learn from history to master the future.

Access The Repository

Read More

AzSubEnum - Azure Service Subdomain Enumeration

AzSubEnum is a specialized subdomain enumeration tool tailored for Azure services. This tool is designed to meticulously search and identify subdomains associated with various Azure services. Through a combination of techniques and queries, AzSubEnum delves into the Azure domain structure, systematically probing and collecting subdomains related to a diverse range of Azure services.

How it works?

AzSubEnum operates by leveraging DNS resolution techniques and systematic permutation methods to unveil subdomains associated with Azure services such as Azure App Services, Storage Accounts, Azure Databases (including MSSQL, Cosmos DB, and Redis), Key Vaults, CDN, Email, SharePoint, Azure Container Registry, and more. Its functionality extends to comprehensively scanning different Azure service domains to identify associated subdomains.

With this tool, users can conduct thorough subdomain enumeration within Azure environments, aiding security professionals, researchers, and administrators in gaining insights into the expansive landscape of Azure services and their corresponding subdomains.

Why i create this?

During my learning journey on Azure AD exploitation, I discovered that the Azure subdomain tool, Invoke-EnumerateAzureSubDomains from NetSPI, was unable to run on my Debian PowerShell. Consequently, I created a crude implementation of that tool in Python.

Usage

➜  AzSubEnum git:(main) ✗ python3 azsubenum.py --help
usage: azsubenum.py [-h] -b BASE [-v] [-t THREADS] [-p PERMUTATIONS]

Azure Subdomain Enumeration

options:
  -h, --help            show this help message and exit
  -b BASE, --base BASE  Base name to use
  -v, --verbose         Show verbose output
  -t THREADS, --threads THREADS
                        Number of threads for concurrent execution
  -p PERMUTATIONS, --permutations PERMUTATIONS
                        File containing permutations

Basic enumeration:

python3 azsubenum.py -b retailcorp --thread 10

Using permutation wordlists:

python3 azsubenum.py -b retailcorp --thread 10 --permutation permutations.txt

With verbose output:

python3 azsubenum.py -b retailcorp --thread 10 --permutation permutations.txt --verbose

Download AzSubEnum

Read More

NullSection - An Anti-Reversing Tool That Applies A Technique That Overwrites The Section Header With Nullbytes

NullSection is an Anti-Reversing tool that applies a technique that overwrites the section header with nullbytes.

Install

git clone https://github.com/MatheuZSecurity/NullSection
cd NullSection
gcc nullsection.c -o nullsection
./nullsection

Advantage

When running nullsection on any ELF, it could be .ko rootkit, after that if you use Ghidra/IDA to parse ELF functions, nothing will appear no function to parse in the decompiler for example, even if you run readelf -S / path /to/ elf the following message will appear "There are no sections in this file."

Make good use of the tool!

Note

We are not responsible for any damage caused by this tool, use the tool intelligently and for educational purposes only.

Download NullSection

Read More

WEB-Wordlist-Generator - Creates Related Wordlists After Scanning Your Web Applications

WEB-Wordlist-Generator scans your web applications and creates related wordlists to take preliminary countermeasures against cyber attacks.

Done

• [x] Scan Static Files.
• [ ] Scan Metadata Of Public Documents (pdf,doc,xls,ppt,docx,pptx,xlsx etc.)
• [ ] Create a New Associated Wordlist with the Wordlist Given as a Parameter.

Installation

From Git

git clone https://github.com/OsmanKandemir/web-wordlist-generator.git
cd web-wordlist-generator && pip3 install -r requirements.txt
python3 generator.py -d target-web.com

From Dockerfile

You can run this application on a container after build a Dockerfile.

docker build -t webwordlistgenerator .
docker run webwordlistgenerator -d target-web.com -o

From DockerHub

You can run this application on a container after pulling from DockerHub.

docker pull osmankandemir/webwordlistgenerator:v1.0
docker run osmankandemir/webwordlistgenerator:v1.0 -d target-web.com -o

Usage

-d DOMAINS [DOMAINS], --domains DOMAINS [DOMAINS] Input Multi or Single Targets. --domains target-web1.com target-web2.com
-p PROXY, --proxy PROXY Use HTTP proxy. --proxy 0.0.0.0:8080
-a AGENT, --agent AGENT Use agent. --agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
-o PRINT, --print PRINT Use Print outputs on terminal screen.

Download Web-Wordlist-Generator

Read More

CloudMiner - Execute Code Using Azure Automation Service Without Getting Charged

Execute code within Azure Automation service without getting charged

Description

CloudMiner is a tool designed to get free computing power within Azure Automation service. The tool utilizes the upload module/package flow to execute code which is totally free to use. This tool is intended for educational and research purposes only and should be used responsibly and with proper authorization.

• This flow was reported to Microsoft on 3/23 which decided to not change the service behavior as it's considered as "by design". As for 3/9/23, this tool can still be used without getting charged.

• Each execution is limited to 3 hours

Requirements

1. Python 3.8+ with the libraries mentioned in the file requirements.txt
2. Configured Azure CLI - https://learn.microsoft.com/en-us/cli/azure/install-azure-cli
   • Account must be logged in before using this tool

Installation

pip install .

Usage

usage: cloud_miner.py [-h] --path PATH --id ID -c COUNT [-t TOKEN] [-r REQUIREMENTS] [-v]

CloudMiner - Free computing power in Azure Automation Service

optional arguments:
  -h, --help            show this help message and exit
  --path PATH           the script path (Powershell or Python)
  --id ID               id of the Automation Account - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Automation/a
                        utomationAccounts/{automationAccountName}
  -c COUNT, --count COUNT
                        number of executions
  -t TOKEN, --token TOKEN
                        Azure access token (optional). If not provided, token will be retrieved using the Azure CLI
  -r REQUIREMENTS, --requirements REQUIREMENTS
                        Path to requirements file to be installed and use by the script (relevant to Python scripts only)
  -v, --verbose         Enable verbose mode

Example usage

Python

Powershell

License

CloudMiner is released under the BSD 3-Clause License. Feel free to modify and distribute this tool responsibly, while adhering to the license terms.

Author - Ariel Gamrian

• LinkedIn - Ariel Gamrian

Download CloudMiner

Read More

BounceBack - Stealth Redirector For Your Red Team Operation Security

BounceBack is a powerful, highly customizable and configurable reverse proxy with WAF functionality for hiding your C2/phishing/etc infrastructure from blue teams, sandboxes, scanners, etc. It uses real-time traffic analysis through various filters and their combinations to hide your tools from illegitimate visitors.

The tool is distributed with preconfigured lists of blocked words, blocked and allowed IP addresses.

For more information on tool usage, you may visit project's wiki.

Features

• Highly configurable and customizable filters pipeline with boolean-based concatenation of rules will be able to hide your infrastructure from the most keen blue eyes.
• Easily extendable project structure, everyone can add rules for their own C2.
• Integrated and curated massive blacklist of IPv4 pools and ranges known to be associated with IT Security vendors combined with IP filter to disallow them to use/attack your infrastructure.
• Malleable C2 Profile parser is able to validate inbound HTTP(s) traffic against the Malleable's config and reject invalidated packets.
• Out of the box domain fronting support allows you to hide your infrastructure a little bit more.
• Ability to check the IPv4 address of request against IP Geolocation/reverse lookup data and compare it to specified regular expressions to exclude out peers connecting outside allowed companies, nations, cities, domains, etc.
• All incoming requests may be allowed/disallowed for any time period, so you may configure work time filters.
• Support for multiple proxies with different filter pipelines at one BounceBack instance.
• Verbose logging mechanism allows you to keep track of all incoming requests and events for analyzing blue team behaviour and debug issues.

Rules

BounceBack currently supports the following filters:

• Boolean-based (and, or, not) rules combinations
• IP and subnet analysis
• IP geolocation fields inspection
• Reverse lookup domain probe
• Raw packet regexp matching
• Malleable C2 profiles traffic validation
• Work (or not) hours rule

Custom rules may be easily added, just register your RuleBaseCreator or RuleWrapperCreator. See already created RuleBaseCreators and RuleWrapperCreators

Rules configuration page may be found here.

Proxies

At the moment, BounceBack supports the following protocols:

• HTTP(s) for your web infrastructure
• DNS for your DNS tunnels
• Raw TCP (with or without tls) and UDP for custom protocols

Custom protocols may be easily added, just register your new type in manager. Example proxy realizations may be found here.

Proxies configuration page may be found here.

Installation

Just download latest release from release page, unzip it, edit config file and go on.

If you want to build it from source, install goreleaser and run:

goreleaser release --clean --snapshot

Download BounceBack

Read More

PurpleKeep - Providing Azure Pipelines To Create An Infrastructure And Run Atomic Tests

With the rapidly increasing variety of attack techniques and a simultaneous rise in the number of detection rules offered by EDRs (Endpoint Detection and Response) and custom-created ones, the need for constant functional testing of detection rules has become evident. However, manually re-running these attacks and cross-referencing them with detection rules is a labor-intensive task which is worth automating.

To address this challenge, I developed "PurpleKeep," an open-source initiative designed to facilitate the automated testing of detection rules. Leveraging the capabilities of the Atomic Red Team project which allows to simulate attacks following MITRE TTPs (Tactics, Techniques, and Procedures). PurpleKeep enhances the simulation of these TTPs to serve as a starting point for the evaluation of the effectiveness of detection rules.

Automating the process of simulating one or multiple TTPs in a test environment comes with certain challenges, one of which is the contamination of the platform after multiple simulations. However, PurpleKeep aims to overcome this hurdle by streamlining the simulation process and facilitating the creation and instrumentation of the targeted platform.

Primarily developed as a proof of concept, PurpleKeep serves as an End-to-End Detection Rule Validation platform tailored for an Azure-based environment. It has been tested in combination with the automatic deployment of Microsoft Defender for Endpoint as the preferred EDR solution. PurpleKeep also provides support for security and audit policy configurations, allowing users to mimic the desired endpoint environment.

To facilitate analysis and monitoring, PurpleKeep integrates with Azure Monitor and Log Analytics services to store the simulation logs and allow further correlation with any events and/or alerts stored in the same platform.

TLDR: PurpleKeep provides an Attack Simulation platform to serve as a starting point for your End-to-End Detection Rule Validation in an Azure-based environment.

Requirements

The project is based on Azure Pipelines and requires the following to be able to run:

• Azure Service Connection to a resource group as described in the Microsoft Docs
• Assignment of the "Key Vault Administrator" Role for the previously created Enterprise Application
• MDE onboarding script, placed as a Secure File in the Library of Azure DevOps and make it accessible to the pipelines

Optional

You can provide a security and/or audit policy file that will be loaded to mimic your Group Policy configurations. Use the Secure File option of the Library in Azure DevOps to make it accessible to your pipelines.

Refer to the variables file for your configurable items.

Design

Infrastructure

Deploying the infrastructure uses the Azure Pipeline to perform the following steps:

• Deploy Azure services:
  • Key Vault
  • Log Analytics Workspace
  • Data Connection Endpoint
  • Data Connection Rule
• Generate SSH keypair and password for the Windows account and store in the Key Vault
• Create a Windows 11 VM
• Install OpenSSH
• Configure and deploy the SSH public key
• Install Invoke-AtomicRedTeam
• Install Microsoft Defender for Endpoint and configure exceptions
• (Optional) Apply security and/or audit policy files
• Reboot

Simulation

Currently only the Atomics from the public repository are supported. The pipelines takes a Technique ID as input or a comma seperate list of techniques, for example:

• T1059.003
• T1027,T1049,T1003

The logs of the simulation are ingested into the AtomicLogs_CL table of the Log Analytics Workspace.

There are currently two ways to run the simulation:

Rotating simulation

This pipeline will deploy a fresh platform after the simulation of each TTP. The Log Analytic workspace will maintain the logs of each run.

Warning: this will onboard a large number of hosts into your EDR

Single deploy simulation

A fresh infrastructure will be deployed only at the beginning of the pipeline. All TTP's will be simulated on this instance. This is the fastests way to simulate and prevents onboarding a large number of devices, however running a lot of simulations in a same environment has the risk of contaminating the environment and making the simulations less stable and predictable.

TODO

Must have

• Check if pre-reqs have been fullfilled before executing the atomic
• Provide the ability to import own group policy
• Cleanup biceps and pipelines by using a master template (Complete build)
• Build pipeline that runs technique sequently with reboots in between
• Add Azure ServiceConnection to variables instead of parameters

Nice to have

• MDE Off-boarding (?)
• Automatically join and leave AD domain
• Make Atomics repository configureable
• Deploy VECTR as part of the infrastructure and ingest results during simulation. Also see the VECTR API issue
• Tune alert API call to Microsoft Defender for Endpoint (Microsoft.Security alertsSuppressionRules)
• Add C2 infrastructure for manual or C2 based simulations

Issues

• Atomics do not return if a simulation succeeded or not
• Unreliable OpenSSH extension installer failing infrastructure deployment
• Spamming onboarded devices in the EDR

References

• Splunk's Attack Range
• Sp4rkCon 2023 - Continuous End-to-End Detection Validation and Reporting with Carrie Roberts
• Red Canary's Coalmine

Download PurpleKeep

Read More

BucketLoot - An Automated S3-compatible Bucket Inspector

BucketLoot is an automated S3-compatible Bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text.

The tool can scan for buckets deployed on Amazon Web Services (AWS), Google Cloud Storage (GCS), DigitalOcean Spaces and even custom domains/URLs which could be connected to these platforms. It returns the output in a JSON format, thus enabling users to parse it according to their liking or forward it to any other tool for further processing.

BucketLoot comes with a guest mode by default, which means a user doesn't needs to specify any API tokens / Access Keys initially in order to run the scan. The tool will scrape a maximum of 1000 files that are returned in the XML response and if the storage bucket contains more than 1000 entries which the user would like to run the scanner on, they can provide platform credentials to run a complete scan. If you'd like to know more about the tool, make sure to check out our blog.

Features

Secret Scanning

Scans for over 80+ unique RegEx signatures that can help in uncovering secret exposures tagged with their severity from the misconfigured storage bucket. Users have the ability to modify or add their own signatures in the regexes.json file. If you believe you have any cool signatures which might be helpful for others too and could be flagged at scale, go ahead and make a PR!

Sensitive File Checks

Accidental sensitive file leakages are a big problem that affects the security posture of individuals and organisations. BucketLoot comes with a 80+ unique regEx signatures list in vulnFiles.json which allows users to flag these sensitive files based on file names or extensions.

Dig Mode

Want to quickly check if any target website is using a misconfigured bucket that is leaking secrets or any other sensitive data? Dig Mode allows you to pass non-S3 targets and let the tool scrape URLs from response body for scanning.

Asset Extraction

Interested in stepping up your asset discovery game? BucketLoot extracts all the URLs/Subdomains and Domains that could be present in an exposed storage bucket, enabling you to have a chance of discovering hidden endpoints, thus giving you an edge over the other traditional recon tools.

Searching

The tool goes beyond just asset discovery and secret exposure scanning by letting users search for custom keywords and even Regular Expression queries which may help them find exactly what they are looking for.

Acknowledgements

• Black Hat USA 2023 [Arsenal]
• Black Hat MEA 2023 [Arsenal]
• Black Hat EU 2023 [Arsenal]

To know more about our Attack Surface Management platform, check out NVADR.

Download BucketLoot

Read More

Raven - CI/CD Security Analyzer

RAVEN (Risk Analysis and Vulnerability Enumeration for CI/CD) is a powerful security tool designed to perform massive scans for GitHub Actions CI workflows and digest the discovered data into a Neo4j database. Developed and maintained by the Cycode research team.

With Raven, we were able to identify and report security vulnerabilities in some of the most popular repositories hosted on GitHub, including:

• FreeCodeCamp (the most popular project on GitHub)
• Storybook (One of the most popular frontend frameworks)
• Fluent UI by Microsoft
• and much more

We listed all vulnerabilities discovered using Raven in the tool Hall of Fame.

What is Raven

The tool provides the following capabilities to scan and analyze potential CI/CD vulnerabilities:

• Downloader: You can download workflows and actions necessary for analysis. Workflows can be downloaded for a specified organization or for all repositories, sorted by star count. Performing this step is a prerequisite for analyzing the workflows.
• Indexer: Digesting the downloaded data into a graph-based Neo4j database. This process involves establishing relationships between workflows, actions, jobs, steps, etc.
• Query Library: We created a library of pre-defined queries based on research conducted by the community.
• Reporter: Raven has a simple way of reporting suspicious findings. As an example, it can be incorporated into the CI process for pull requests and run there.

Possible usages for Raven:

• Scanner for your own organization's security
• Scanning specified organizations for bug bounty purposes
• Scan everything and report issues found to save the internet
• Research and learning purposes

This tool provides a reliable and scalable solution for CI/CD security analysis, enabling users to query bad configurations and gain valuable insights into their codebase's security posture.

Why Raven

In the past year, Cycode Labs conducted extensive research on fundamental security issues of CI/CD systems. We examined the depths of many systems, thousands of projects, and several configurations. The conclusion is clear – the model in which security is delegated to developers has failed. This has been proven several times in our previous content:

• A simple injection scenario exposed dozens of public repositories, including popular open-source projects.
• We found that one of the most popular frontend frameworks was vulnerable to the innovative method of branch injection attack.
• We detailed a completely different attack vector, 3rd party integration risks, the most popular project on GitHub, and thousands more.
• Finally, the Microsoft 365 UI framework, with more than 300 million users, is vulnerable to an additional new threat – an artifact poisoning attack.
• Additionally, we found, reported, and disclosed hundreds of other vulnerabilities privately.

Each of the vulnerabilities above has unique characteristics, making it nearly impossible for developers to stay up to date with the latest security trends. Unfortunately, each vulnerability shares a commonality – each exploitation can impact millions of victims.

It was for these reasons that Raven was created, a framework for CI/CD security analysis workflows (and GitHub Actions as the first use case). In our focus, we examined complex scenarios where each issue isn't a threat on its own, but when combined, they pose a severe threat.

Setup && Run

To get started with Raven, follow these installation instructions:

Step 1: Install the Raven package

pip3 install raven-cycode

Step 2: Setup a local Redis server and Neo4j database

docker run -d --name raven-neo4j -p7474:7474 -p7687:7687 --env NEO4J_AUTH=neo4j/123456789 --volume raven-neo4j:/data neo4j:5.12
docker run -d --name raven-redis -p6379:6379 --volume raven-redis:/data redis:7.2.1

Another way to setup the environment is by running our provided docker compose file:

git clone https://github.com/CycodeLabs/raven.git
cd raven
make setup

Step 3: Run Raven Downloader

Org mode:

raven download org --token $GITHUB_TOKEN --org-name RavenDemo

Crawl mode:

raven download crawl --token $GITHUB_TOKEN --min-stars 1000

Step 4: Run Raven Indexer

raven index

Step 5: Inspect the results through the reporter

raven report --format raw

At this point, it is possible to inspect the data in the Neo4j database, by connecting http://localhost:7474/browser/.

Prerequisites

• Python 3.9+
• Docker Compose v2.1.0+
• Docker Engine v1.13.0+

Infrastructure

Raven is using two primary docker containers: Redis and Neo4j. make setup will run a docker compose command to prepare that environment.

Usage

The tool contains three main functionalities, download and index and report.

Download

Download Organization Repositories

usage: raven download org [-h] --token TOKEN [--debug] [--redis-host REDIS_HOST] [--redis-port REDIS_PORT] [--clean-redis] --org-name ORG_NAME

options:
  -h, --help            show this help message and exit
  --token TOKEN         GITHUB_TOKEN to download data from Github API (Needed for effective rate-limiting)
  --debug               Whether to print debug statements, default: False
  --redis-host REDIS_HOST
                        Redis host, default: localhost
  --redis-port REDIS_PORT
                        Redis port, default: 6379
  --clean-redis, -cr    Whether to clean cache in the redis, default: False
  --org-name ORG_NAME   Organization name to download the workflows

Download Public Repositories

usage: raven download crawl [-h] --token TOKEN [--debug] [--redis-host REDIS_HOST] [--redis-port REDIS_PORT] [--clean-redis] [--max-stars MAX_STARS] [--min-stars MIN_STARS]

options:
  -h, --help            show this help message and exit
  --token TOKEN         GITHUB_TOKEN to download data from Github API (Needed for effective rate-limiting)
  --debug               Whether to print debug statements, default: False
  --redis-host REDIS_HOST
                        Redis host, default: localhost
  --redis-port REDIS_PORT
                        Redis port, default: 6379
  --clean-redis, -cr    Whether to clean cache in the redis, default: False
  --max-stars MAX_STARS
                        Maximum number of stars for a repository
  --min-stars MIN_STARS
                        Minimum number of stars for a repository, default   : 1000

Index

usage: raven index [-h] [--redis-host REDIS_HOST] [--redis-port REDIS_PORT] [--clean-redis] [--neo4j-uri NEO4J_URI] [--neo4j-user NEO4J_USER] [--neo4j-pass NEO4J_PASS]
                   [--clean-neo4j] [--debug]

options:
  -h, --help            show this help message and exit
  --redis-host REDIS_HOST
                        Redis host, default: localhost
  --redis-port REDIS_PORT
                        Redis port, default: 6379
  --clean-redis, -cr    Whether to clean cache in the redis, default: False
  --neo4j-uri NEO4J_URI
                        Neo4j URI endpoint, default: neo4j://localhost:7687
  --neo4j-user NEO4J_USER
                        Neo4j username, default: neo4j
  --neo4j-pass NEO4J_PASS
                        Neo4j password, default: 123456789
  --clean-neo4j, -cn    Whether to clean cache, and index f   rom scratch, default: False
  --debug               Whether to print debug statements, default: False

Report

usage: raven report [-h] [--redis-host REDIS_HOST] [--redis-port REDIS_PORT] [--clean-redis] [--neo4j-uri NEO4J_URI]
                    [--neo4j-user NEO4J_USER] [--neo4j-pass NEO4J_PASS] [--clean-neo4j]
                    [--tag {injection,unauthenticated,fixed,priv-esc,supply-chain}]
                    [--severity {info,low,medium,high,critical}] [--queries-path QUERIES_PATH] [--format {raw,json}]
                    {slack} ...

positional arguments:
  {slack}
    slack               Send report to slack channel

options:
  -h, --help            show this help message and exit
  --redis-host REDIS_HOST
                        Redis host, default: localhost
  --redis-port REDIS_PORT
                        Redis port, default: 6379
  --clean-redis, -cr    Whether to clean cache in the redis, default: False
  --neo4j-uri NEO4J_URI
                           Neo4j URI endpoint, default: neo4j://localhost:7687
  --neo4j-user NEO4J_USER
                        Neo4j username, default: neo4j
  --neo4j-pass NEO4J_PASS
                        Neo4j password, default: 123456789
  --clean-neo4j, -cn    Whether to clean cache, and index from scratch, default: False
  --tag {injection,unauthenticated,fixed,priv-esc,supply-chain}, -t {injection,unauthenticated,fixed,priv-esc,supply-chain}
                        Filter queries with specific tag
  --severity {info,low,medium,high,critical}, -s {info,low,medium,high,critical}
                        Filter queries by severity level (default: info)
  --queries-path QUERIES_PATH, -dp QUERIES_PATH
                        Queries folder (default: library)
  --format {raw,json}, -f {raw,json}
                        Report format (default: raw)

Examples

Retrieve all workflows and actions associated with the organization.

raven download org --token $GITHUB_TOKEN --org-name microsoft --org-name google --debug

Scrape all publicly accessible GitHub repositories.

raven download crawl --token $GITHUB_TOKEN --min-stars 100 --max-stars 1000 --debug

After finishing the download process or if interrupted using Ctrl+C, proceed to index all workflows and actions into the Neo4j database.

raven index --debug

Now, we can generate a report using our query library.

raven report --severity high --tag injection --tag unauthenticated

Rate Limiting

For effective rate limiting, you should supply a Github token. For authenticated users, the next rate limiting applies:

• Code search - 30 queries per minute
• Any other API - 5000 per hour

Research Knowledge Base

• Issue Injections
• Pull Request Injections
• Workflow Run Injections
• CodeSee Injections

Current Limitations

• It is possible to run external action by referencing a folder with a Dockerfile (without action.yml). Currently, this behavior isn't supported.
• It is possible to run external action by referencing a docker container through the docker://... URL. Currently, this behavior isn't supported.
• It is possible to run an action by referencing it locally. This creates complex behavior, as it may come from a different repository that was checked out previously. The current behavior is trying to find it in the existing repository.
• We aren't modeling the entire workflow structure. If additional fields are needed, please submit a pull request according to the contribution guidelines.

Future Research Work

• Implementation of taint analysis. Example use case - a user can pass a pull request title (which is controllable parameter) to an action parameter that is named data. That action parameter may be used in a run command: - run: echo ${{ inputs.data }}, which creates a path for a code execution.
• Expand the research for findings of harmful misuse of GITHUB_ENV. This may utilize the previous taint analysis as well.
• Research whether actions/github-script has an interesting threat landscape. If it is, it can be modeled in the graph.

Want more of CI/CD Security, AppSec, and ASPM? Check out Cycode

If you liked Raven, you would probably love our Cycode platform that offers even more enhanced capabilities for visibility, prioritization, and remediation of vulnerabilities across the software delivery.

If you are interested in a robust, research-driven Pipeline Security, Application Security, or ASPM solution, don't hesitate to get in touch with us or request a demo using the form https://cycode.com/book-a-demo/.

Download Raven

Read More