Keeping a Jenkins Recon Pipeline Stable Over Time
TL;DR Stability is a feature, not an afterthought. Bounded runtimes, retention, and simple recovery paths matter as much as the scan logic. A recon pipeline should stay boring...
Here I collect posts about development, tools, and experiments.
TL;DR Stability is a feature, not an afterthought. Bounded runtimes, retention, and simple recovery paths matter as much as the scan logic. A recon pipeline should stay boring...
TL;DR Automation only helps if the review loop stays small. I want a quick daily pass and a slightly deeper weekly pass. The goal is to triage changes, not to re-read the whole...
At the beginning, most of this setup lived in my head, in shell history, or in blog posts describing what I wanted the platform to become. That was useful for thinking, but it was...
One of the more useful changes in vault-ops was not about PKI itself. It was about script layout. Repo: https://github.com/blade-34242/vault-ops The Problem Over time, automation...
TL;DR Scanning everything every time creates noise fast. New and changed services are usually the highest-value scan targets. Selective inputs improve runtime and make findings...
This is the short version of the current state. Repo: GitHub: https://github.com/blade-34242/vault-ops The Core Shape The platform is built around a few hard boundaries: an offline...
TL;DR Recon gets much more useful once you keep state between runs. The main output I care about is not a raw snapshot. It is the diff. Plain text state files are enough if the...
One of the smaller decisions that matters more than it looks is image pinning. It is very easy to say: "Just use latest." That is also a good way to create avoidable...
TL;DR Do not probe thousands of hosts in one burst unless you really need to. Chunking spreads load, reduces failures, and keeps each run small enough to inspect. A simple pointer...
Once Forgejo looked usable, the next serious question was not deployment. It was restore. That is usually the more honest test of whether a self-hosted service is operational. The...
One of the clearer decisions in the Forgejo work came from failure rather than design purity. I wanted to run the Forgejo runner in a container at first. That sounds symmetrical...
Running Forgejo privately only really works if the access model stays practical. That means two things have to feel normal: opening the web UI, and using Git over SSH. I did not...
Once the basic Forgejo deployment path was clear, the next obvious question was how to handle secrets. I did not want Forgejo to become the exception in a system where other stacks...
TL;DR One giant job looks simple until it breaks. Separate jobs make retries, logs, and state much easier to handle. The handoff between jobs should be files, not hidden...
When I started thinking seriously about self-hosting Forgejo, I did not want the first step to be "put another public service on the internet." I wanted the first step to...
TL;DR Split recon into three jobs with one responsibility each. Keep the handoff between jobs file-based and easy to inspect. Prefer steady daily coverage over one giant noisy...
By mid-March, the Matrix work had stopped being only about getting services to start. The real question became: How do I operate several related stacks without turning staging and...
One of the more useful debugging sessions in this period came from a simple symptom: small uploads worked, larger uploads did not. That sounds like a single setting problem. It was...
Adding Matrix Authentication Service was one of those changes that looked conceptually clean and then immediately forced me to separate several different problems. At a high level,...
One of the clearer lessons from this phase was that working chat does not automatically mean working calls. For newer Matrix client flows, Synapse plus TURN was not enough. To get...
Once the base Matrix stack existed, the next step was obvious: stop leaving important secrets in static files and environment variables. The target pattern was the same one I had...
I spent the end of February turning Matrix from a rough idea into a real stack layout. The main goal was not just "run Synapse." It was to run it in the same style as the...
Why Vault Can Say Invalid Token and Permission Denied at the Same Time This was one of those errors that looks contradictory until you think about how the script is actually...
TL;DR Clarify scope first, then work systematically. User input + RSC or dangerouslySetInnerHTML = high XSS risk. postMessage without origin checks is almost always a bug. 0. Scope...
TL;DR Unit tests and build passed; Playwright timed out on multiple UI steps. The failures cluster around config import/export and sidebar interactions. Next step is to harden...
This final part covers: (6) Proxy CA chain refresh (6b) Proxy stack restart (systemd --user) (2b) Vault server container restart (7) Vault TLS healthcheck that ended with...
This part covers the workload-facing rotations: agent login mTLS certs (Vault Agent via auth/cert) app leaf cert rotation (per-app nginx-* roles + reload) Apps in scope: two...
This part covers the first two rotations from the run: Admin client cert (mTLS to Vault) Vault server TLS cert (listener cert) These are the control-plane certs. If they fail,...
TL;DR Build a matrix over Nextcloud branches and PHP versions. Checkout Nextcloud server + app sources, then sync the app into the server tree. Run JS unit tests, build assets,...
This series documents a full production-style rotation workflow and why the order matters more than the individual commands. What this post focuses on: dependency chain (what...
Caido is a modern web security proxy built for speed and day-to-day usability. If you’re coming from tools like Burp or ZAP, the core workflow will feel familiar—intercept traffic,...
TL;DR Check v-html usage and any dynamic bindings like :href, :src, :style, :class. Look for open redirects in vue-router (e.g. ?redirect= or #/...). Inspect Vuex/localStorage...
TL;DR Check common Tomcat entry points: :8080, /manager/html, /host-manager/html. Identify version from error pages, headers, or default pages. Test default creds and auth bypasses...
This Is Just the Starting Point Even after designing PKI, Vault, proxies, and basic app layouts, I still see this as the beginning of the lab, not the end. There are many...
I Don’t Sit in One Place I’m not building this in a neat office with a stable on-prem network. I move: between countries, between apartments and Airbnbs, between different network...
TL;DR app listens on container loopback sidecar exposes a narrow ingress point for the app environment proxy forwards to the sidecar path main gateway forwards to the environment...
Even a Personal VPS Deserves a Threat Model This is “just” my VPS, but: it holds real data (Nextcloud, notes), it hosts sensitive systems (Vault, PKI), it’s reachable from the...
My Brain Is Not a Reliable Runbook When I change anything important in this setup (Vault config, PKI, proxies), it’s easy to miss steps: forget a reload, skip a test, break...
Yes, I Locked Myself Out More than once, I managed to: enforce mTLS on Vault, let important client certs expire, and then stare at tls: expired certificate errors. This wasn’t fun,...
TL;DR Only the main gateway exposes 80/443. Internal ports are loopback-only. TLS is hardened and logs are split by status. Rate limits and health endpoints are in place. Controls...
Why I Want Two Nextclouds I don’t just want “a cloud drive”. I want: one test instance where I can break things, one prod instance where I store real personal data. Both should: be...
TL;DR Okta is an IDaaS provider for SSO, MFA, and user provisioning. Most issues come from misconfiguration, not Okta itself. Focus on redirect handling, token validation, and SCIM...
Why I Want a VPN in Front of Everything Public SSH on the internet is manageable, but I’d rather: connect to my VPS through a VPN (like IPsec), expose fewer direct services, and...
My SSH Entry Should Not Be the Weakest Link All of this infra sits behind one obvious entry point: SSH to the VPS. So I want SSH to be: key-based only, ideally bound to my VPN...
TL;DR OAuth is about delegated access, not authentication by itself. Most bugs come from redirect URI, token validation, and scope handling. Always validate state, nonce, aud, iss,...
Why Android Matters to Me More and more targets have mobile apps that are tightly integrated with their backend APIs. If I only test the web front-end, I miss a big part of the...
How I Like to Look at HTTP Traffic For bug bounty and security testing, I want a flexible stack: a proxy I can send traffic through (proxify), an interactive UI for manual work...
TL;DR OAuth is a delegation protocol; authentication is layered on top. The authorization code flow is the standard for web apps. The client exchanges a code for tokens, then calls...
Why I Want a Dedicated Recon Node As a bug bounty hunter, I don’t want to run everything from my laptop. A VPS can be: a stable, always-on recon box, a place to run scans over...
TL;DR traffic flows from gateway to environment proxy to sidecar to app the environment proxy only publishes to host loopback the sidecar is the only direct ingress to the app...
Logs as My Second Brain With multiple services (Vault, proxies, apps, agents) running under different Unix users, logs can easily end up scattered: /home/*/containers/.../logs,...
Vault mTLS for App Agents and Proxy Trust The useful distinction in my setup was not just "use mTLS with Vault." It was deciding which components needed what kind of...
End-to-End PKI and TLS Automation Abstract This post describes the pipeline I ended up with for certificates and trust distribution: an offline root, environment-specific...
No More Hardcoded Secrets Current implementation: GitHub: https://github.com/blade-34242/vault-ops I don’t want: app containers with static DB passwords baked in, environment...
TL;DR validate the app behind the sidecar and environment proxy first only then wire it into the main gateway keep the gateway focused on TLS termination, host routing, and headers...
Why I Don’t Want Just One Big Nginx I could put a single Nginx on the VPS and let it handle everything. But I want clearer layers: a public-facing entry proxy, internal...
Unix Users as Security Boundaries On a single VPS, I don’t have multiple physical machines, but I can still use: Unix users, file permissions, rootless Podman, to approximate...
Podman Global Configuration for Rootless Services The main design choice was simple: one Unix user per app or service, with rootless Podman as the default runtime model. That only...
TL;DR wildcard certificates need DNS-01 create the TXT record exactly as your DNS provider expects verify propagation before continuing the challenge remember that manual DNS-01...
I Don’t Want to Live on the Root Token Current implementation: GitHub: https://github.com/blade-34242/vault-ops Vault gives you a root token at initialization. It’s tempting to...
Quick Commands # edit + deploy git status git add -A git commit -m "docs: update" git push # rebuild static blog output (local) cd site npm ci --no-audit --no-fund npm...
TL;DR Know the common private, CGNAT, and link-local ranges. Use IPv6 ranges explicitly during recon; they are often less protected. For bug bounty, prioritize public netblocks,...
Current Source Of Truth The current implementation is documented in: GitHub: https://github.com/blade-34242/vault-ops README:...
Rotation Can’t Be an Afterthought Creating certificates once is easy. Remembering to rotate them before they expire is the real work. In my setup I have: admin mTLS certs with...
TL;DR Use a simple { __typename } query to detect GraphQL. Use graphw00f to fingerprint implementations. Quick Detection curl -X POST http://target/graphql \ -H 'Content-Type:...
Why I Wrote a Certificate Health Script I did not want certificate expiry to be something I discovered only after services started failing. So I wrote a small inventory-style...
Security Concept Summary The security model is not based on one magic control. It is a stack of smaller boundaries: public traffic enters through a hardened gateway internal proxy...
Why I Need a Break-Glass Option If all Vault listeners require valid client certificates and my admin cert expires, I’m locked out. That’s secure, but it’s also dangerous if I...
Manual Wildcard Certificates with DNS-01 The useful lesson here was simple: if I want wildcard certificates, DNS-01 is the practical path. HTTP-01 is fine for single public...
The Problem: mTLS Everywhere, No Way In One of the first real-world problems I hit with my PKI/Vault setup was simple and brutal: Vault listeners require mTLS...
TL;DR Recon: find endpoints and enable introspection. DoS: deep recursion, batching, aliases, and fragments. AuthZ: field-level and object-level access checks. Recon Detect GraphQL...
Why I Wanted My Own PKI I wanted something between two extremes: random self-signed certificates created by hand whenever a service needed TLS a public-web mindset where everything...
NGINX Reverse Proxy and Sidecar Pattern This is the routing pattern I ended up trusting for isolated app workloads on one VPS. Internet -> public gateway -> environment proxy...
TL;DR keep the portal hostname separate from the main app hostname preserve Host and forwarded protocol headers across the proxy chain make the application aware of both the main...
Why I Care About Structure on a Single VPS I don’t want my VPS to be “just a box that runs containers”. I want it to feel like a small, real infrastructure: clear separation...
Git and Shared SSH Agent Setup I did not want every local service user on the VPS to have its own copy of Git credentials. The cleaner model was: one host-side Git identity one...
TL;DR Rootful offers simpler networking but higher exposure risk. Rootless is safer but needs explicit forwarding and mTLS. For VPS and multi-user setups, host forwarder + mTLS is...
Container Networking Options for a Multi-User VPS The useful question was not "what networking modes exist?" It was "which one fits a VPS where different Unix users...
What I Want From My VPS and Vault This post was the starting point. The current implementation now lives in: GitHub: https://github.com/blade-34242/vault-ops This whole project is...
TL;DR Cache-Control shows max age. Age shows current cached age. X-Cache or CF-Cache-Status indicates hit/miss. Detection Signals Cache-Control: max-age=... Age: ... X-Cache:...
TL;DR Aura uses JSON payloads with message and aura.context. Many issues come from parameter tampering and over-permissive Apex methods. Focus on classname, method, and params in...
TL;DR Cache poisoning targets shared cache entries. Look for unkeyed headers or params that affect the response. Verify that poisoned content is served to other users. What It Is...
TL;DR Trick the cache into storing dynamic, sensitive responses. Exploit path parsing discrepancies between cache and origin. Use cache busters to avoid stale data while testing....
TL;DR A takeover happens when a subdomain points to an unclaimed external service. Look for dangling CNAMEs to SaaS providers. Confirm by matching known error messages and claiming...
TL;DR Request smuggling happens when frontend and backend parse Content-Length and Transfer-Encoding differently. Classic case: frontend uses CL, backend uses TE (CL.TE). Look for...
TL;DR CSWSH is CSRF on WebSocket handshakes. If the handshake relies only on cookies, a malicious site can open a WS as the victim. Impact includes unauthorized actions and data...
TL;DR Windows/IIS labs often live in 192.168.x.0/24 or 10.0.0.0/8 ranges. Azure defaults show up as 10.0.0.0/24. If you have XSS or SSRF, target common internal ranges first....
TL;DR Focus on introspection, authz gaps, and query limits. Test batching and persisted query policy. Keep payloads small and in scope. Test Snippets 1) Introspection enabled curl...
TL;DR Start with curl to understand the app, then scale with ffuf and nuclei. Always record requests/responses for later (headers, auth, cookies). Don’t brute force blindly—be...
TL;DR Use a simple, repeatable pipeline: discover → probe → crawl → scan. Store every stage as a file so you can diff, resume, and avoid re-running noisy steps. Prefer target lists...
TL;DR Start with traffic interception; it gives the biggest return fastest. Don’t fight the tooling—keep a repeatable baseline setup. Document every device/emulator change (you...
TL;DR Prefer rsync for anything bigger than a single file. Avoid hardcoding IPs/users in scripts; use ~/.ssh/config hosts. For “copy only if missing”, use rsync --ignore-existing...
TL;DR Use a proxy for understanding; use reproducible requests for reporting. Save raw requests and keep them minimal (strip noise, keep essentials). Automate only after you...
TL;DR Recon is a loop, not a one-off: collect → triage → investigate → repeat. Keep outputs versioned per run so you can spot what changed. Separate discovery (wide) from...