Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/boostsecurityio/lotp

boostsecurityio/lotp
https://github.com/boostsecurityio/lotp

living-off-the-pipeline lotp supply-chain-security

Last synced: 1 day ago
JSON representation

boostsecurityio/lotp

Host: GitHub
URL: https://github.com/boostsecurityio/lotp
Owner: boostsecurityio
License: apache-2.0
Created: 2024-02-15T14:56:05.000Z (11 months ago)
Default Branch: main
Last Pushed: 2024-12-16T15:30:17.000Z (about 1 month ago)
Last Synced: 2024-12-16T16:30:59.880Z (about 1 month ago)
Topics: living-off-the-pipeline, lotp, supply-chain-security
Language: HTML
Homepage:
Size: 52.7 KB
Stars: 106
Watchers: 9
Forks: 8
Open Issues: 27
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

awesome-cicd-attacks - Living off the pipeline - Inventory how development tools (typically CLIs), have lesser-known RCE-By-Design features. (Techniques / Post Exploitation)
awesome-cicd-attacks - Living off the pipeline - Inventory how development tools (typically CLIs), have lesser-known RCE-By-Design features. (Techniques / Post Exploitation)

README

        # Living Off the Pipeline (LOTP)

[![boostsecurityio - lotp](https://img.shields.io/static/v1?label=boostsecurityio&message=lotp&color=blue&logo=github)](https://github.com/boostsecurityio/lotp "Go to GitHub repo")

[![stars - lotp](https://img.shields.io/github/stars/boostsecurityio/lotp?style=social)](https://github.com/boostsecurityio/lotp)

[![forks - lotp](https://img.shields.io/github/forks/boostsecurityio/lotp?style=social)](https://github.com/boostsecurityio/lotp)

[![issues - lotp](https://img.shields.io/github/issues/boostsecurityio/lotp)](https://github.com/boostsecurityio/lotp/issues)

[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)

[![View site - GH Pages](https://img.shields.io/badge/View_site-GH_Pages-2ea44f?style=for-the-badge)](https://boostsecurityio.github.io/lotp/)

# Introduction

The idea of the LOTP project is to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection.

# Contributions

We welcome contributions submitted as `Pull Requests` with new tool contributions or simply `Issues` for new ideas.

# License

Released under [Apache 2.0](/LICENSE) by [@boostsecurityio](https://github.com/boostsecurityio).

---

# Prior art / Credits

This project is largely inspired from previous projects such as:

- https://gtfobins.github.io

- https://lolbas-project.github.io

- https://github.com/rotem-cider/cicd-lamb