This tool is designed to help you test firewalls and network boundaries by masquerading traffic to appear as if it's originating from different datacenters around the world.
Modern cloud environments often have trust boundaries (such as allowing all traffic from the same datacenter) that are weak and can be easily bypassed. This has become a more prevalent issue as cloud platform popularity has increased.
Common misconfigurations of trust boundaries can be tested with this tool.
This tool currently checks access differences for URLs (HTTP/HTTPS). It does not perform protocol-level checks, such as port scanning to identify differences in open ports across providers.
The following checks will be supported:
| Provider Name | Identifier | Status |
|---|---|---|
| GitHub Actions | github |
Supported |
| GitLab CI | gitlab |
Supported |
| Bitbucket Pipelines | bitbucket |
Supported |
| AWS API Gateway | aws |
Supported |
| SSH/AWS EC2 | ec2 |
Supported |
| Cloudflare Workers | cloudflare |
Supported |
| Azure Functions | azure |
Not yet supported |
Run the tool using the following command syntax:
./newtowner --provider github --urls urls.txt
For AWS API-Gateway by default, it will use the closest datacenter to your target URLs but this can be overridden using --region flag.
Modify configuration.json in the root of this directory. Here's a complete example with all available configuration options:
{
// Github Provider
"github_pat": "YOUR_GITHUB_PAT",
"github_owner": "assetnote",
"github_repo": "newtowner",
"github_default_branch": "main",
// Gitlab Provider
"gitlab_pat": "YOUR_GITLAB_PAT",
"gitlab_project_id": "your-project-id",
"gitlab_pipeline_ref": "main",
"gitlab_artifact_job_name": "your-job-name",
"gitlab_pipeline_trigger_token": "optional-trigger-token",
"gitlab_default_branch": "main",
// Bitbucket Provider
"bitbucket_workspace": "your-workspace-name",
"bitbucket_repo_slug": "your-repository-name",
"bitbucket_pipeline_ref": "main",
"bitbucket_access_token": "your-workspace-access-token",
// AWS API Gateway Provider
"aws_access_key_id": "YOUR_AWS_ACCESS_KEY",
"aws_secret_access_key": "YOUR_AWS_SECRET_KEY",
// Cloudflare Workers Provider
"cloudflare_account_id": "YOUR_CLOUDFLARE_ACCOUNT_ID",
"cloudflare_api_token": "YOUR_CLOUDFLARE_API_TOKEN",
"cloudflare_worker_url": "https://your-worker.your-subdomain.workers.dev",
// AWS EC2 Provider
"ssh_host": "your-ssh-host",
"ssh_port": 22,
"ssh_user": "your-ssh-user",
"ssh_private_key_path": "path/to/private/key",
"ssh_passphrase": "your-key-passphrase",
"ec2_host": "your-ec2-host",
"ec2_port": 22,
"ec2_user": "your-ec2-user",
"ec2_private_key_path": "path/to/ec2/private/key",
"ec2_passphrase": "your-ec2-key-passphrase"
}
Note: remove the lines documenting the provider specific json because it will count as invalid json.
Note: You only need to configure the settings for the providers you plan to use. The example above shows all available options.
To use Newtowner with GitHub Actions:
.github/workflows/newtowner_check.yml.newtowner-github-actions).repo and workflow.configuration.json: In your fork/clone's root, add:
json
{
"github_pat": "YOUR_GENERATED_PAT",
"github_owner": "your-github-username-or-org",
"github_repo": "newtowner", // Or your fork's name
"github_default_branch": "main"
}bash
./newtowner --provider github --urls urls.txtTo use Newtowner with GitLab CI:
1. Add Newtowner to GitLab: Fork/clone the repo to your GitLab instance and enable CI/CD (config: .gitlab-ci.yml).
2. Create Tokens:
- Access Token: Create a PAT or Project Token with api scope
- Pipeline Trigger: Add a trigger token in Project Settings > CI/CD
3. Configure configuration.json: Add settings to your local clone:
json
{
"gitlab_pat": "YOUR_PAT_OR_PROJECT_ACCESS_TOKEN",
"gitlab_project_id": "your-gitlab-project-id-for-newtowner",
"gitlab_pipeline_ref": "main",
"gitlab_artifact_job_name": "http_check_job", // Must match job in .gitlab-ci.yml
"gitlab_pipeline_trigger_token": "YOUR_PIPELINE_TRIGGER_TOKEN",
"gitlab_default_branch": "main"
}
4. Run Newtowner:
bash
./newtowner --provider gitlab --urls urls.txt
To use Newtowner with Bitbucket Pipelines:
newtowner_bitbucket_accessRead & Write), Repositories (Read), Runners (Read & Write)configuration.json: In your local Newtowner repository clone (from Bitbucket), add:
json
{
"bitbucket_workspace": "your-bitbucket-workspace-name",
"bitbucket_repo_slug": "newtowner", // Your fork/clone's slug
"bitbucket_pipeline_ref": "main",
"bitbucket_access_token": "YOUR_APP_PASSWORD_OR_ACCESS_TOKEN"
}bash
./newtowner --provider bitbucket --urls urls.txtTo allow Newtowner to interact with AWS services, you need to provide an Access Key ID and a Secret Access Key.
1. Navigate to Security Credentials:
2. Create Access Key:
3. Save Credentials:
.csv file or copy both keys to a secure locationconfiguration.json file in the aws_access_key_id and aws_secret_access_key fieldsThe EC2 provider compares HTTP responses from an EC2 instance and a secondary SSH host to detect trust boundary bypasses across network locations.
To use the EC2 provider, you need to configure SSH access for both the EC2 instance and a comparison SSH host. The configuration supports both key-based and passphrase-protected SSH keys.
Note the EC2 instance's hostname/IP and SSH port (default: 22)
Comparison SSH Host Setup:
Note the SSH host's hostname/IP and SSH port (default: 22)
SSH Key Configuration:
json
{
"ec2_host": "your-ec2-hostname-or-ip",
"ec2_port": 22,
"ec2_user": "ec2-user",
"ec2_private_key_path": "path/to/ec2/private/key",
"ec2_passphrase": "optional-key-passphrase",
"ssh_host": "your-comparison-hostname-or-ip",
"ssh_port": 22,
"ssh_user": "ssh-user",
"ssh_private_key_path": "path/to/ssh/private/key",
"ssh_passphrase": "optional-key-passphrase"
}Run the tool with the EC2 provider:
./newtowner --provider ec2 --urls urls.txt
The tool will: 1. Connect to both the EC2 instance and comparison SSH host 2. Execute HTTP checks from both locations 3. Compare the responses to identify potential trust boundary bypasses 4. Auto-detect and display geographic information for both hosts 5. Clean up temporary files after each check
To use Newtowner with Cloudflare Workers:
Account:read and Workers Scripts:editSave the token securely
Deploy Worker: ```bash # Install Wrangler (Cloudflare CLI) npm install -g wrangler
# Login to Cloudflare wrangler login
# Deploy the worker cd .cloudflare wrangler deploy --compatibility-date 2024-01-01 ```
Configure configuration.json:
json
{
"cloudflare_account_id": "your-account-id-here",
"cloudflare_api_token": "your-api-token-here",
"cloudflare_worker_url": "https://newtowner-worker.your-subdomain.workers.dev"
}
Run Newtowner:
bash
./newtowner --provider cloudflare --urls urls.txt
Note: If you leave cloudflare_worker_url empty, Newtowner will automatically deploy the worker for you.
Jordan Macey - Assetnote
$ claude mcp add newtowner \
-- python -m otcore.mcp_server <graph>