Pipeline Predators: Attacking CI/CD Environments

Pipeline Predators: Attacking CI/CD Environments (Virtual)

2-day virtual course (starting Thursday 24th of April)

CI / CD systems are obnoxiously present and sprayed across modern enterprise environments. With the current world focusing on faster delivery, and faster production CI / CD has taken a prominent role in the development world. Rapid adoption of these technologies has meant that a lot of the security precautions are thrown out of the window and insecure by default settings are in place. We have created this course to focus on Attacking CI CD environments as a way in for attackers.

In this course, we take an approach from basics to advanced guidance. We start with understanding how CI / CD systems work under the hood and then understand their position in a corporate IT environment. We focus on exploiting both self-hosted environments as well as SaaS-based environments.

Course Structure

Overview of CI/CD Environments

• Definition and importance of CI/CD
• Key components of CI/CD pipelines
• Source control
• Build automation
• Testing
• Deployment
• Monitoring
• CI/CD in the software development life cycle (SDLC)

Introduction to CI/CD Attacks

• Why do attackers target CI/CD pipelines?
• Rapid deployment as an attack surface
• Potential for automating attacks
• Common attack vectors in CI/CD environments
• Real-world examples of CI/CD attacks

CI/CD Attacks in Different Environment

• GitHub
• Jenkins
• GitLab CI
• Travis CI
• Unique features and use cases
• Comparative analysis of different CI/CD platforms

Environment Specific Attacks (GitHub)

• Initial Accesses & Conditions
• Enumeration Strategies
• GitHub way of CI/CD Systems
• Insecure Defaults
• Context Injection
• Custom Runner Misconfigurations
• Workflow Manipulation
• Malicious Action Creation & Injection
• Secret Exposure
• Un-authz Workflow Executions
• Workflow Bypass Techniques
• Webhooks and External Integrations Abuse
• Secrets in CI/CD Logs

Environment Specific Attacks (Jenkins)

• Jenkinsfile Tampering
• Unauthorized Access and Privilege Escalation
• Plugin Vulnerabilities Exploitation
• Build Script Manipulation
• Build Artifacts Tampering
• Script Console Abuse
• Jenkins API Exploitation

Environment Specific Attacks (GitLab CI)

• Pipeline Configuration Tampering
• Job Script Manipulation
• API Token and Credentials Exposure
• Build Artifacts Manipulation
• Runner Exploitation
• Webhooks and External Integrations Abuse
• Secrets in CI/CD Logs
• Unauthorized Pipeline Execution
• Misconfigured Job Dependencies
• Insecure Container Images

Cloud Providers CI/CD Systems’ Attack Vectors

• Insecure IAM
• CI/CD Systems Misconfigurations
• Cross-service Misconfigurations
• Using CI/CD Systems as Attacker’s Tools

C2

• Stealth

The course will be followed by a Capture-The-Flag event, where the participants can implement their learnings and hack a vulnerable-by-design environment on the last day of the training.

Target Audience

Pentester, Security engineer, red team testers

Pre-requisites

The course assumes basic familiarity with CI CD and pipeline concepts. Security tooling and specific pipeline details will be covered in the course.

Hardware requirements

Our labs are cloud-based, and a browser should be sufficient. However, we will still suggest the following hardware specs:

• Laptop with working browser and unrestricted internet access (at least port 80 and 443. However, some web-socket connections might be required.)

We would still recommend bringing a laptop with full administrative access in case any troubleshooting is required. As part of the program, participants will create accounts on platforms like GitHub and Bitbucket for hands-on activities. Clear instructions will be provided in advance, and creating these accounts is free of charge.

Trainer Bio

Anant Shrivastava is the founder of Cyfinoid Research. He has experience in Security (both offense and defense), Development, and Operations. He has a rich history of engagement with renowned conferences as both a trainer and a speaker, including Black Hat (USA, Asia, EU), Nullcon, and c0c0n, among others. Anant leads open-source projects, notably the Tamer Platform and CodeVigilant, and curates the Hacking Archives of India. When not engaged in official work, Anant contributes to open communities with a shared goal of spreading information security knowledge, such as the null community, Garage4Hackers, hasgeek, and OWASP.

https://web.archive.org/web/20250428112334/https://www.brucon.org/training-details/attacking-cicd