Kumar Ashwin

[email protected]

Attacking CI/CD Environments

Training
Attacking CI/CD Environments
NULLCON 2024 - Hyderabad Edition 2024-05-02 - 2024-05-02 HICC - Hyderabad International Convention Center
Audience: Security Professionals Duration: 3 days
Co-presenters: Anant Shrivastava
CI/CD Attack Software Supply Chain

CI/CD systems are obnoxiously present and sprayed across modern enterprise environments. With the current world focusing on faster delivery, and faster production CI/CD has taken a prominent role in the development world. Rapid adoption of these technologies has meant that a lot of the security precautions are thrown out of the window and insecure by default settings are in place.

In this course, we take an approach from basics to advanced guidance. We start with understanding how CI/CD systems work under the hood and then understand their position in a corporate IT environment. We focus on exploiting both self-hosted environments as well as SaaS-based environments.

Day 1: Overview of CI/CD Environments

  • Definition and importance of CI/CD
  • Key components of CI/CD pipelines
  • Source control, Build automation, Testing, Deployment, Monitoring
  • CI/CD in the software development life cycle (SDLC)
  • Introduction to CI/CD Attacks
  • Common attack vectors in CI/CD environments
  • Real-world examples of CI/CD attacks
  • CI/CD Attacks in Different Environments (GitHub, Jenkins, GitLab CI, Travis CI)

Day 2: Environment Specific Attacks (GitHub)

  • Initial Accesses & Conditions
  • Enumeration Strategies
  • GitHub way of CI/CD Systems
  • Insecure Defaults
  • Context Injection
  • Custom Runner Misconfigurations
  • Workflow Manipulation
  • Malicious Action Creation & Injection
  • Secret Exposure
  • Un-authz Workflow Executions
  • Workflow Bypass Techniques
  • Webhooks and External Integrations Abuse
  • Secrets in CI/CD Logs

Day 3: Environment Specific Attacks (Jenkins & GitLab CI)

  • Jenkinsfile Tampering
  • Unauthorized Access and Privilege Escalation
  • Plugin Vulnerabilities Exploitation
  • Build Script Manipulation
  • Build Artifacts Tampering
  • Script Console Abuse
  • Jenkins API Exploitation
  • Pipeline Configuration Tampering
  • Job Script Manipulation
  • API Token and Credentials Exposure
  • Build Artifacts Manipulation
  • Runner Exploitation
  • Cloud Providers CI/CD Systems’ Attack Vectors
  • Using CI/CD Systems as Attacker’s Tools