https://github.com/boostsecurityio/lotp

boostsecurityio/lotp
https://github.com/boostsecurityio/lotp

living-off-the-pipeline lotp supply-chain-security

Last synced: about 1 month ago
JSON representation

boostsecurityio/lotp

• Host: GitHub
• URL: https://github.com/boostsecurityio/lotp
• Owner: boostsecurityio
• License: apache-2.0
• Created: 2024-02-15T14:56:05.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2024-12-16T15:30:17.000Z (11 months ago)
• Last Synced: 2024-12-16T16:30:59.880Z (11 months ago)
• Topics: living-off-the-pipeline, lotp, supply-chain-security
• Language: HTML
• Homepage:
• Size: 52.7 KB
• Stars: 106
• Watchers: 9
• Forks: 8
• Open Issues: 27
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

• awesome-cicd-attacks - Living off the pipeline - Inventory how development tools (typically CLIs), have lesser-known RCE-By-Design features. (Techniques / Post Exploitation)
• awesome-cicd-attacks - Living off the pipeline - Inventory how development tools (typically CLIs), have lesser-known RCE-By-Design features. (Techniques / Post Exploitation)

README

          
# Living Off the Pipeline (LOTP)

[![boostsecurityio - lotp](https://img.shields.io/static/v1?label=boostsecurityio&message=lotp&color=blue&logo=github)](https://github.com/boostsecurityio/lotp "Go to GitHub repo")

[![stars - lotp](https://img.shields.io/github/stars/boostsecurityio/lotp?style=social)](https://github.com/boostsecurityio/lotp)

[![forks - lotp](https://img.shields.io/github/forks/boostsecurityio/lotp?style=social)](https://github.com/boostsecurityio/lotp)

[![issues - lotp](https://img.shields.io/github/issues/boostsecurityio/lotp)](https://github.com/boostsecurityio/lotp/issues)

[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)

[![View site - GH Pages](https://img.shields.io/badge/View_site-GH_Pages-2ea44f?style=for-the-badge)](https://boostsecurityio.github.io/lotp/)

# Introduction

The idea of the LOTP project is to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection.

# Contributions

We welcome contributions submitted as `Pull Requests` with new tool contributions or simply `Issues` for new ideas.

# License

Released under [Apache 2.0](/LICENSE) by [@boostsecurityio](https://github.com/boostsecurityio).

---

# Prior art / Credits

This project is largely inspired from previous projects such as:

- https://gtfobins.github.io

- https://lolbas-project.github.io

- https://github.com/rotem-cider/cicd-lamb