Pipeline Predators: Attacking CI/CD Environments (Virtual)
2-day virtual course (starting Thursday 24th of April)
CI / CD systems are obnoxiously present and sprayed across modern enterprise environments. With the current world focusing on faster delivery, and faster production CI / CD has taken a prominent role in the development world. Rapid adoption of these technologies has meant that a lot of the security precautions are thrown out of the window and insecure by default settings are in place. We have created this course to focus on Attacking CI CD environments as a way in for attackers.
In this course, we take an approach from basics to advanced guidance. We start with understanding how CI / CD systems work under the hood and then understand their position in a corporate IT environment. We focus on exploiting both self-hosted environments as well as SaaS-based environments.
Course Structure
Overview of CI/CD Environments
Definition and importance of CI/CD
Key components of CI/CD pipelines
Source control
Build automation
Testing
Deployment
Monitoring
CI/CD in the software development life cycle (SDLC)
Introduction to CI/CD Attacks
Why do attackers target CI/CD pipelines?
Rapid deployment as an attack surface
Potential for automating attacks
Common attack vectors in CI/CD environments
Real-world examples of CI/CD attacks
CI/CD Attacks in Different Environment
GitHub
Jenkins
GitLab CI
Travis CI
Unique features and use cases
Comparative analysis of different CI/CD platforms
Environment Specific Attacks (GitHub)
Initial Accesses & Conditions
Enumeration Strategies
GitHub way of CI/CD Systems
Insecure Defaults
Context Injection
Custom Runner Misconfigurations
Workflow Manipulation
Malicious Action Creation & Injection
Secret Exposure
Un-authz Workflow Executions
Workflow Bypass Techniques
Webhooks and External Integrations Abuse
Secrets in CI/CD Logs
Environment Specific Attacks (Jenkins)
Jenkinsfile Tampering
Unauthorized Access and Privilege Escalation
Plugin Vulnerabilities Exploitation
Build Script Manipulation
Build Artifacts Tampering
Script Console Abuse
Jenkins API Exploitation
Environment Specific Attacks (GitLab CI)
Pipeline Configuration Tampering
Job Script Manipulation
API Token and Credentials Exposure
Build Artifacts Manipulation
Runner Exploitation
Webhooks and External Integrations Abuse
Secrets in CI/CD Logs
Unauthorized Pipeline Execution
Misconfigured Job Dependencies
Insecure Container Images
Cloud Providers CI/CD Systems’ Attack Vectors
Insecure IAM
CI/CD Systems Misconfigurations
Cross-service Misconfigurations
Using CI/CD Systems as Attacker’s Tools
C2
Stealth
The course will be followed by a Capture-The-Flag event, where the participants can implement their learnings and hack a vulnerable-by-design environment on the last day of the training.
Target Audience
Pentester, Security engineer, red team testers
Pre-requisites
The course assumes basic familiarity with CI CD and pipeline concepts. Security
tooling and specific pipeline details will be covered in the course.
Hardware requirements
Our labs are cloud-based, and a browser should be sufficient. However, we will still
suggest the following hardware specs:
Laptop with working browser and unrestricted internet access (at least port 80 and 443. However, some web-socket connections might be required.)
We would still recommend bringing a laptop with full administrative access in case
any troubleshooting is required. As part of the program, participants will create accounts on platforms like GitHub and Bitbucket for hands-on activities. Clear instructions will be provided in advance, and creating these accounts is free of charge.
Trainer Bio
Anant Shrivastava is the founder of Cyfinoid Research. He has experience in
Security (both offense and defense), Development, and Operations. He has a rich
history of engagement with renowned conferences as both a trainer and a speaker,
including Black Hat (USA, Asia, EU), Nullcon, and c0c0n, among others. Anant leads
open-source projects, notably the Tamer Platform and CodeVigilant, and curates the Hacking Archives of India. When not engaged in official work, Anant contributes to open communities with a shared goal of spreading information security knowledge, such as the null community, Garage4Hackers, hasgeek, and OWASP.