YoVDO

Attacking Development Pipelines for Actual Profit

Offered By: 44CON Information Security Conference via YouTube

Tags

44CON Courses Cybersecurity Courses CI/CD Pipelines Courses Secret Management Courses

Course Description

Overview

Explore the vulnerabilities in CI/CD pipelines and learn how to exploit them for profit in this 25-minute conference talk from the 44CON Information Security Conference. Dive into real-world issues involving Perforce, network storage, and cross-instance compromise. Discover methodologies for secret management, report manipulation, and deployment exploitation. Examine practical tools like SSH reverse shells and research servers. Analyze a classic DNS rebinding attack on web hooks. Gain valuable insights into attacking development pipelines and understand the potential risks and rewards associated with these security weaknesses.

Syllabus

Introduction
CI/CD Pipelines?
CI/CD: Command Execution as a Service
Methodology - Definition
IRL Issue: Perforce
IRL Issue: Network Storage
Methodology - Execution
Tooling - SSHReverse Shell
IRL Issue: Cross Instance Compromise
Methodology - Secret Management
IRL Issue: VMware guestinfo variables
Methodology - Reports
Tooling - Research Servers
IRL Issue: Web Hook - Classic DNS Rebinding
Methodology - Deployment
Summary


Taught by

44CON Information Security Conference

Related Courses

Computer Security
Stanford University via Coursera
Cryptography II
Stanford University via Coursera
Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera
Building an Information Risk Management Toolkit
University of Washington via Coursera
Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network