Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-cicd-attacks

Practical resources for offensive CI/CD security research. Curated the best resources I've seen since 2021.
https://github.com/TupleType/awesome-cicd-attacks

Last synced: 4 days ago
JSON representation

Techniques
- Publicly Exposed Sensitive Data
  - (The) Postman Carries Lots of Secrets
  - Anyone can Access Deleted and Private Repository Data on GitHub - As long as it's part of a fork network.
  - (The) Postman Carries Lots of Secrets
  - All the Small Things: Azure CLI Leakage and Problematic Usage Patterns
  - All the Small Things: Azure CLI Leakage and Problematic Usage Patterns
  - Anyone can Access Deleted and Private Repository Data on GitHub - As long as it's part of a fork network.
  - Beyond S3: Exposed Resources on AWS - Public EBS, RDS, AMI and ElasticSearch clusters exposed to the internet.
  - CloudQuarry: Digging for secrets in public AMIs
  - Employee Personal GitHub Repos Expose Internal Azure and Red Hat Secrets
  - CloudQuarry: Digging for secrets in public AMIs
  - Holes in Your Bitbucket: Why Your CI/CD Pipeline Is Leaking Secrets
  - Employee Personal GitHub Repos Expose Internal Azure and Red Hat Secrets
  - Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries - Misconfigured public registries with software artifacts containing sensitive proprietary code and secrets.
  - Hidden GitHub Commits and How to Reveal Them - A tool that can reveal deleted GitHub commits that potentially contain sensitive information and are not accessible via the public Git history.
  - GitLab Secrets - A tool that can reveal deleted GitLab commits that potentially contain sensitive information and are not accessible via the public Git history.
  - Hidden GitHub Commits and How to Reveal Them - A tool that can reveal deleted GitHub commits that potentially contain sensitive information and are not accessible via the public Git history.
  - Millions of Secrets Exposed via Web Application Frontends
  - Publicly Exposed AWS Document DB Snapshots
  - Publicly Exposed AWS Document DB Snapshots
  - Thousands of images on Docker Hub leak auth secrets, private keys
  - Thousands of images on Docker Hub leak auth secrets, private keys
- Initial Code Execution
  - ActionsTOCTOU (Time Of Check to Time Of Use) - A tool to monitor for an approval event and then quickly replace a file in the PR head with a local file specified as a parameter.
  - AWS Targeted by a Package Backfill Attack - Scan commit history for internal packages to execute dependency confusion.
  - Can you trust ChatGPT's package recommendations? - Exploit generative AI platforms' tendency to generate non-existent coding libraries to execute Dependecy Confusion.
  - Dependency Confusions in Docker and remote pwning of your infra
  - Fixing typos and breaching microsoft's perimeter - Bypass GitHub workflow approval requirement by becoming a contributor.
  - Gitloker attacks abuse GitHub notifications to push malicious OAuth apps
  - Hacking GitHub AWS integrations again - Attacking misconfigured pipelines that use OIDC.
  - How I hacked into Google's internal corporate assets - More ways to find dependencies in code for Dependency Confusion.
  - How to completely own an airline in 3 easy steps - Misconfigured CI system accessible from the internet.
  - Introducing MavenGate: a supply chain attack method for Java and Android applications - Many public and popular libraries that have long been abandoned are still being used in huge projects. Access to projects can be hijacked through domain name purchases.
  - AWS Targeted by a Package Backfill Attack - Scan commit history for internal packages to execute dependency confusion.
  - Can you trust ChatGPT's package recommendations? - Exploit generative AI platforms' tendency to generate non-existent coding libraries to execute Dependecy Confusion.
  - Can You Trust Your VSCode Extensions? - Impersonate popular VSCode extensions and trick unknowing developers into downloading them.
  - Deep dive into Visual Studio Code extension security vulnerabilities
  - Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
  - Can You Trust Your VSCode Extensions? - Impersonate popular VSCode extensions and trick unknowing developers into downloading them.
  - Deep dive into Visual Studio Code extension security vulnerabilities
  - Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
  - Erosion of Trust: Unmasking Supply Chain Vulnerabilities in the Terraform Registry - Terraform modules are not protected by the Dependency Lock File, consequently, a seemingly harmless module could potentially introduce malicious code.
  - GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking
  - Gitloker attacks abuse GitHub notifications to push malicious OAuth apps
  - Hacking GitHub AWS integrations again - Attacking misconfigured pipelines that use OIDC.
  - How I hacked into Google's internal corporate assets - More ways to find dependencies in code for Dependency Confusion.
  - How to completely own an airline in 3 easy steps - Misconfigured CI system accessible from the internet.
  - PPE — Poisoned Pipeline Execution
  - Introducing MavenGate: a supply chain attack method for Java and Android applications - Many public and popular libraries that have long been abandoned are still being used in huge projects. Access to projects can be hijacked through domain name purchases.
  - Keeping your GitHub Actions and workflows secure Part 2: Untrusted input - GitHub Actions command injection.
  - Malicious code analysis: Abusing SAST (mis)configurations to hack CI systems
  - Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests - Combining pull_request_target workflow trigger with an explicit checkout of an untrusted PR may lead to repository compromise.
  - Keeping your GitHub Actions and workflows secure Part 2: Untrusted input - GitHub Actions command injection.
  - Malicious code analysis: Abusing SAST (mis)configurations to hack CI systems
  - Understanding typosquatting methods - for a secure supply chain
  - PPE — Poisoned Pipeline Execution
  - Security alert: social engineering campaign targets technology industry employees - Phishing GitHub users to download and execute repositories.
  - Security alert: social engineering campaign targets technology industry employees - Phishing GitHub users to download and execute repositories.
  - The Monsters in Your Build Cache – GitHub Actions Cache Poisoning
  - Thousands of npm accounts use email addresses with expired domains - Maintainer Email hijacking.
  - WordPress Plugin Confusion: How an update can get you pwned
  - The Monsters in Your Build Cache – GitHub Actions Cache Poisoning
  - Understanding typosquatting methods - for a secure supply chain
  - Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline - GitHub Actions workflow_run PE.
  - What the fork? Imposter commits in GitHub Actions and CI/CD
  - WordPress Plugin Confusion: How an update can get you pwned
  - Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline - GitHub Actions workflow_run PE.
  - What the fork? Imposter commits in GitHub Actions and CI/CD
- Post Exploitation
  - From Self-Hosted GitHub Runner to Self-Hosted Backdoor
  - Hacking Terraform State for Privilege Escalation
  - Hijacking GitHub runners to compromise the organization - Registering a GitHub runner with the ubuntu-latest tag grants access to jobs originally designated for GitHub-provisioned runners.
  - Hacking Terraform State for Privilege Escalation
  - Hijacking GitHub runners to compromise the organization - Registering a GitHub runner with the ubuntu-latest tag grants access to jobs originally designated for GitHub-provisioned runners.
  - Invisible Ghost: Alarming Vulnerability in GitHub Copilot - Using hidden Unicode characters to manipulate GitHub Copilot's suggestions.
  - Leaking Secrets From GitHub Actions: Reading Files And Environment Variables, Intercepting Network/Process Communication, Dumping Memory
  - How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects - Extracting all repository and organization secrets in GitHub Actions.
  - How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects - Extracting all repository and organization secrets in GitHub Actions.
  - Invisible Ghost: Alarming Vulnerability in GitHub Copilot - Using hidden Unicode characters to manipulate GitHub Copilot's suggestions.
  - Leaking Secrets From GitHub Actions: Reading Files And Environment Variables, Intercepting Network/Process Communication, Dumping Memory
  - Living off the pipeline - Inventory how development tools (typically CLIs), have lesser-known RCE-By-Design features.
  - Living off the pipeline - Inventory how development tools (typically CLIs), have lesser-known RCE-By-Design features.
  - The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree
  - The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree
  - How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects - Extracting all repository and organization secrets in GitHub Actions.
  - Invisible Ghost: Alarming Vulnerability in GitHub Copilot - Using hidden Unicode characters to manipulate GitHub Copilot's suggestions.
- Defense Evasion
  - Abusing Repository Webhooks to Access Internal CI/CD Systems at Scale
  - Forging signed commits on GitHub
  - Bypassing required reviews using GitHub Actions
  - #redteam tip: want to discretely extract credentials from a CI/CD pipeline? - Draft pull requests won't alert repository contributors, but will still trigger pipelines.
  - Bypassing required reviews using GitHub Actions
  - Working as unexpected - Creating a GitHub branch that matches a branch protection rule pattern with a workflow file that triggers on push to gain access to environment secrets.
  - #redteam tip: want to discretely extract credentials from a CI/CD pipeline? - Draft pull requests won't alert repository contributors, but will still trigger pipelines.
  - Abusing Repository Webhooks to Access Internal CI/CD Systems at Scale
  - Forging signed commits on GitHub
  - PR sneaking - Methods of sneaking malicious code into GitHub pull requests.
  - GitHub comments abused to push malware via Microsoft repo URLs - Hidden GitHub comment link.
  - How a Single Vulnerability Can Bring Down the JavaScript Ecosystem - Cache poisoning attack on the NPM registry rendering packages unavailable.
  - One Supply Chain Attack to Rule Them All – Poisoning GitHub's Runner Images
  - PR sneaking - Methods of sneaking malicious code into GitHub pull requests.
  - The massive bug at the heart of the npm ecosystem - NPM Manifest Confusion.
  - Trojan Source - Rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities.
  - Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows
  - Why npm lockfiles can be a security blindspot for injecting malicious modules
  - Trojan Source - Rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities.
  - Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows
  - Why npm lockfiles can be a security blindspot for injecting malicious modules
  - Working as unexpected - Creating a GitHub branch that matches a branch protection rule pattern with a workflow file that triggers on push to gain access to environment secrets.
  - Zuckerpunch - Abusing Self Hosted GitHub Runners at Facebook - Hide commits in a GitHub PR.
  - Zuckerpunch - Abusing Self Hosted GitHub Runners at Facebook - Hide commits in a GitHub PR.
  - One Supply Chain Attack to Rule Them All – Poisoning GitHub's Runner Images
  - StarJacking – Making Your New Open Source Package Popular in a Snap
Tools
- Defense Evasion
  - ADOKit - Azure DevOps Services Attack Toolkit.
  - ADOKit - Azure DevOps Services Attack Toolkit.
  - Gato - GitHub Attack Toolkit.
  - Gato-X - GitHub Attack Toolkit - Extreme Edition.
  - GH Archive - A project to record the public GitHub timeline, archive it, and make it easily accessible for further analysis.
  - GHTorrent Project - A queryable offline mirror of the GitHub API data. [Tutorial](https://ghtorrent.github.io/tutorial/).
  - git-dumper - Dump Git repository from a website.
  - GitFive - OSINT tool to investigate GitHub profiles.
  - Grep.app - Search GitHub using regex.
  - Gato - GitHub Attack Toolkit.
  - Gato-X - GitHub Attack Toolkit - Extreme Edition.
  - GH Archive - A project to record the public GitHub timeline, archive it, and make it easily accessible for further analysis.
  - Jenkins Attack Framework
  - Nord Stream - A tool to extract secrets stored inside CI/CD environments.
  - Token-Spray - Automate token validation using Nuclei.
  - pwn_jenkins - Notes about attacking Jenkins servers.
  - Secrets Patterns Database - The largest open-source database for detecting secrets, API keys, passwords, tokens, and more.
  - Sourcegraph - A web-based code search and navigation tool for public repositories.
Case Studies
- Defense Evasion
  - 10 real-world stories of how we've compromised CI/CD pipelines
Similar Projects
- Defense Evasion

Programming Languages

Python 12 C# 2 CSS 2 HTML 2

Categories

Techniques 109 Tools 18 Similar Projects 3 Case Studies 1

Sub Categories

Defense Evasion 48 Initial Code Execution 45 Publicly Exposed Sensitive Data 21 Post Exploitation 17

Keywords

cicd 4 github 4 bugbounty 3 living-off-the-pipeline 2 lotp 2 supply-chain-security 2 github-actions 2 actions 1 git 1 security 1 web 1 hideandsec 1 malfrats 1 osint 1 python 1 azuredevops 1 ci-cd 1 gitlab 1 gitlab-ci 1 exploit 1 hacking 1 jenkins 1 pentest 1 rce 1 gitleaks 1 regex 1 regular-expression 1 regular-expressions 1 secrets 1 secrets-detection 1 trufflehog 1 trufflehog3 1