Cloud Security Testing (/test-cloud)¶
Tests for cloud-specific vulnerabilities including S3/GCS/Azure Blob misconfiguration, subdomain takeover via stale DNS records, extended cloud metadata exploitation (beyond basic SSRF), Kubernetes secret exposure, Firebase insecure rules, CI/CD container escape detection, and advanced techniques from HackerOne disclosed reports.
Scope Routing¶
| Scope | Sections | Focus |
|---|---|---|
storage |
A (A1-A3b) + J | S3/GCS/Azure bucket discovery and permission testing, Prow CI S3 path traversal, exposed cloud consoles and dashboards |
takeover |
B (B1) + K (K1-K4) | Subdomain takeover via stale CNAMEs (30+ service fingerprints), FQDN trailing dot bypass, R2.dev subdomain takeover, dangling cloud instance IP reuse, librsvg SVG memory leak |
k8s-cicd |
C (C1-C2) + D (D1-D2) + E (E1-E2) + F (F1-F2) + G + H + I | Cloud metadata deep dive (AWS IMDSv1/v2, GCP, Azure), K8s dashboard/secrets/configmap exposure, Firebase RTDB/Firestore insecure rules, CI/CD container escape detection, K8s StorageClass SSRF, K8s aggregated API redirect attack, K8s SSRF-to-RCE escalation chain |
Coverage¶
Cloud Storage (Section A)¶
- S3 Bucket Discovery -- Pattern-based extraction of S3/GCS/Azure references from JS files, API responses, and page source. Regex matching for
*.s3.amazonaws.com,storage.googleapis.com/*,*.blob.core.windows.net,gs://,s3://, ARN patterns. - S3 Permission Testing -- Anonymous listing (ListBucketResult), non-existent bucket detection (NoSuchBucket = potential takeover), access denied verification.
- Bucket Name Guessing -- Domain-derived bucket name patterns:
{base},{base}-dev,{base}-staging,{base}-prod,{base}-backup,{base}-assets, etc. - Prow CI S3 Path Traversal -- Encoded
?(%3f) injection to bypass signed URL path restrictions in Kubernetes Prow CI systems.
Subdomain Takeover (Section B + K)¶
- Stale CNAME Detection -- Checks all recon subdomains for dangling CNAME records pointing to unclaimed services. 30+ service fingerprints: S3, GitHub Pages, Heroku, Shopify, Fastly, Netlify, Vercel, Azure, Render, Fly.io, and more.
- FQDN Trailing Dot Bypass (K1) -- RFC 1034 trailing dot (
example.com.) to bypass CORS origin validation and redirect URL checks. HackerOne #1086108, $3,100 bounty. - R2.dev Takeover (K2) -- Cloudflare R2 storage subdomain takeover when bucket deleted but DNS/CDN references remain. HackerOne #1700276, $1,100 bounty.
- Dangling Cloud IP (K3) -- DNS A records pointing to released Elastic IPs/static IPs in AWS/GCP/Azure ranges.
- SVG Memory Leak (K4) -- librsvg uninitialized memory leak via crafted SVG files exposing server memory (AWS creds, cookies). HackerOne #2107680, $8,900 bounty.
Cloud Metadata (Section C)¶
- AWS IMDSv1 -- Direct metadata access at
169.254.169.254without authentication. - AWS IMDSv2 -- Token-based metadata probing (PUT request for session token).
- GCP Metadata --
metadata.google.internalwithMetadata-Flavor: Googleheader. - Azure Metadata --
169.254.169.254withMetadata: trueheader.
Kubernetes (Sections D, G, H, I)¶
- K8s Dashboard Exposure (D1) -- Probing
/api/v1,/api/v1/secrets,/dashboard/,/metrics, and common K8s ports (8001, 8443, 6443, 10250, 10255, 2379). - Environment Variable Leakage (D2) -- K8s env var patterns in responses (KUBERNETES_SERVICE_HOST, POD_NAME, etc.).
- StorageClass SSRF (G) -- GlusterFS provisioner
resturlparameter enabling control plane SSRF. - Aggregated API Redirect (H) -- Compromised aggregated API servers returning 302 redirects to capture kube-apiserver Bearer tokens.
- SSRF-to-RCE Chain (I) -- Full chain: SSRF to GCP metadata to kube-env to Kubelet certs to pod listing to service account tokens to exec.
Firebase (Section E)¶
- Config Extraction (E1) -- Firebase configuration from page source, JS files, and Android APK strings.xml.
- Insecure Rules (E2) -- Realtime Database anonymous read/write testing, Firestore collection enumeration, common collection name brute-force.
CI/CD (Section F)¶
- Container Escape Detection (F1) -- Checking for exposed container files (
.dockerenv,/proc/1/cgroup, Docker socket, K8s service account token). - Secret Exposure (F2) -- CI/CD environment variables leaked in error pages (GITHUB_TOKEN, AWS_ACCESS_KEY_ID, CI_JOB_TOKEN, etc.).
Cloud Consoles (Section J)¶
- Exposed Files -- AWS credentials, Docker env, Terraform state/vars, Ansible config, CI/CD configs (GitHub Actions, GitLab CI, Jenkinsfile), serverless configs.
Key Sections¶
| Section | ID | Description |
|---|---|---|
| S3 Bucket Discovery | A1 | Regex-based extraction of cloud storage references. |
| S3 Permission Testing | A2 | Anonymous listing, existence detection, access denied verification. |
| Bucket Name Guessing | A3 | Domain-derived naming patterns. |
| Prow CI Path Traversal | A3b | Encoded ? injection on Prow CI S3 signed URLs. |
| Subdomain Takeover | B1 | Stale CNAME detection with 30+ service fingerprints. |
| AWS/GCP/Azure Metadata | C1-C2 | IMDSv1, IMDSv2, GCP, Azure metadata testing. |
| K8s Exposure | D1-D2 | Dashboard, secrets, configmap, port scanning, env var leakage. |
| Firebase Security | E1-E2 | Config extraction, insecure RTDB/Firestore rules. |
| CI/CD Escape | F1-F2 | Container files, CI secret exposure. |
| K8s StorageClass SSRF | G | GlusterFS provisioner SSRF. |
| K8s API Redirect | H | Aggregated API token capture via redirect. |
| K8s SSRF-to-RCE | I | Full escalation chain detection. |
| Cloud Consoles | J | Exposed cloud config and credential files. |
| H1 Techniques | K1-K4 | FQDN dot bypass, R2.dev takeover, dangling IP, SVG memory leak. |
| Summary | L | Finding compilation and severity summary. |
Model and Thinking Budget¶
| Component | Model | Rationale |
|---|---|---|
| Storage/takeover | Haiku | Pattern matching and systematic checks |
| K8s/metadata | Sonnet | Chain reasoning for escalation paths |
| Firebase | Haiku | Procedural rule testing |
Kill Switch¶
| Limit | Value |
|---|---|
| Timeout | 45 minutes |
| Max requests | 500 (warning at 400) |
| DNS queries | Rate-limited to avoid detection |
AI Decision Points¶
Two [AI-DECISION] markers:
- Cloud Provider Fingerprinting -- Fingerprint cloud provider from response headers, DNS records, IP ranges, and response patterns. Select provider-specific tests (AWS metadata, GCP service accounts, Azure managed identity).
- Subdomain Takeover Verification -- Verify dangling DNS records by checking CNAME targets. Only report takeover if the target service actually allows registration of the dangling subdomain.
Dangerous Mode Gate¶
Firebase Write Test
Firebase write access testing (E2) is gated behind the --dangerous flag since it writes to an external service. Read access testing always runs.
Context Integration¶
This skill reads from multiple sources:
- context.json -- Cloud provider detection from tech stack, SSRF findings for chaining.
- Recon output --
recon/all-subdomains.txtfor subdomain takeover detection. - SSRF results --
logs/ssrf-results.txtfor metadata chain detection. - JS analysis --
discovery/js-analysis/for cloud storage references.
Safety¶
- All tests are read-only. No bucket modification, no credential usage.
- Subdomain takeover is detection-only -- never claim a dangling subdomain.
- Cloud metadata: stop at credential endpoint, document what was readable, never use discovered credentials.
- K8s: document accessible endpoints, never attempt to extract secret contents.
- Firebase write tests require
--dangerousflag.