YoVDO

Attacking Development Pipelines for Actual Profit

Offered By: 44CON Information Security Conference via YouTube

Tags

44CON Courses Cybersecurity Courses CI/CD Pipelines Courses Secret Management Courses

Course Description

Overview

Explore the vulnerabilities in CI/CD pipelines and learn how to exploit them for profit in this 25-minute conference talk from the 44CON Information Security Conference. Dive into real-world issues involving Perforce, network storage, and cross-instance compromise. Discover methodologies for secret management, report manipulation, and deployment exploitation. Examine practical tools like SSH reverse shells and research servers. Analyze a classic DNS rebinding attack on web hooks. Gain valuable insights into attacking development pipelines and understand the potential risks and rewards associated with these security weaknesses.

Syllabus

Introduction
CI/CD Pipelines?
CI/CD: Command Execution as a Service
Methodology - Definition
IRL Issue: Perforce
IRL Issue: Network Storage
Methodology - Execution
Tooling - SSHReverse Shell
IRL Issue: Cross Instance Compromise
Methodology - Secret Management
IRL Issue: VMware guestinfo variables
Methodology - Reports
Tooling - Research Servers
IRL Issue: Web Hook - Classic DNS Rebinding
Methodology - Deployment
Summary


Taught by

44CON Information Security Conference

Related Courses

Supply Chain Unchained - How To Be A Bad SaaS
44CON Information Security Conference via YouTube
Aviation Security 101
44CON Information Security Conference via YouTube
The Anti-Checklist Manifesto
44CON Information Security Conference via YouTube
Why Are We Still Doing Authentication Wrong?
44CON Information Security Conference via YouTube
What Do Hackers See When They Look at the Clouds
44CON Information Security Conference via YouTube