Objective
CI / CD systems are obnoxiously present and sprayed across modern enterprise environments. With the current world focusing on faster delivery, and faster production CI / CD has taken a prominent role in the development world. Rapid adoption of these technologies has meant that a lot of the security precautions are thrown out of the window and insecure by default settings are in place. We have created this course to focus on Attacking CI CD environments as a way in for attackers.
In this course, we take an approach from basics to advanced guidance. We start with understanding how CI / CD systems work under the hood and then understand their position in a corporate IT environment. We focus on exploiting both self-hosted environments as well as SaaS-based environments.
Outline
Overview of CI/CD Environments
- Definition and importance of CI/CD
- Key components of CI/CD pipelines
- Source control
- Build automation
- Testing
- Deployment
- Monitoring
- CI/CD in the software development life cycle (SDLC)
Introduction to CI/CD Attacks
- Why do attackers target CI/CD pipelines?
- Rapid deployment as an attack surface
- Potential for automating attacks
- Common attack vectors in CI/CD environments
- Real-world examples of CI/CD attacks
CI/CD Attacks in Different Environment
- Environments
- GitHub
- Jenkins
- GitLab CI
- Travis CI
- Unique features and use cases
- Comparative analysis of different CI/CD platforms
Environment Specific Attacks (GitHub)
- Initial Accesses & Conditions
- Enumeration Strategies
- GitHub way of CI/CD Systems
- Insecure Defaults
- Context Injection
- Custom Runner Misconfigurations
- Workflow Manipulation
- Malicious Action Creation & Injection
- Secret Exposure
- Un-authz Workflow Executions
- Workflow Bypass Techniques
- Webhooks and External Integrations Abuse
- Secrets in CI/CD Logs
Environment Specific Attacks (Jenkins)
- Jenkinsfile Tampering
- Unauthorized Access and Privilege Escalation
- Plugin Vulnerabilities Exploitation
- Build Script Manipulation
- Build Artifacts Tampering
- Script Console Abuse
- Jenkins API Exploitation
Environment Specific Attacks (GitLab CI)
- Pipeline Configuration Tampering
- Job Script Manipulation
- API Token and Credentials Exposure
- Build Artifacts Manipulation
- Runner Exploitation
- Webhooks and External Integrations Abuse
- Secrets in CI/CD Logs
- Unauthorized Pipeline Execution
- Misconfigured Job Dependencies
- Insecure Container Images
Cloud Providers CI/CD Systems’ Attack Vectors
- Insecure IAM
- CI/CD Systems Misconfigurations
- Cross-service Misconfigurations
Using CI/CD Systems as Attacker’s Tools
- C2
- Stealth
The course will be followed by a Capture-The-Flag event, where the participants can implement their learnings and hack a vulnerable-by-design environment on the last day of the training.
What students should bring?
Our labs are cloud-based, and a browser should be sufficient. However, we will still suggest the following hardware specs:
Laptop with working browser & and unrestricted internet access (at least port 80 and 443. However, some web-socket connections might be required.)
We would still recommend bringing a laptop with full administrative access in case any troubleshooting is required.
As part of the program, participants will create accounts on platforms like GitHub and Bitbucket for hands-on activities. Clear instructions will be provided in advance, and creating these accounts is free of charge.
TRAINING PREREQUISITE
The course assumes basic familiarity with CI CD and pipeline concepts. Security tooling and specific pipeline details will be covered in the course.
WHO SHOULD ATTEND?
- Developers
- Solution Architects
- DevOps engineer
- Security architects
- Red Teamers
- Pentesters
WHAT TO EXPECT?
Intensive hands-on training with labs, demos, and real-world scenarios to discuss and hack into.
WHAT ATTENDEES WILL GET?
- Very Detailed step-by-step instruction manual for all challenges covered during the class.
- A Slide deck containing the slides covered during the class.
- Virtual environment over cloud with all required tools pre-configured
WHAT NOT TO EXPECT?
- Exploring defense strategies aimed at securing CI/CD environments.
- We will solely concentrate on the CI/CD aspect and refrain from delving into platform functionalities.
Next Sessions
Previous Run of this class
How to attend
Cyfinoid offers its trainings via multiple international conference such as BlackHat USA and others, We do offer private trainings also.