Connect with us
X
Categories:

Technology

Researchers discover that SCM webhook abuse easily compromises CI/CD servers

Published

on

Researchers discover that SCM webhook abuse easily compromises CI/CD servers
Share this post:

Cloud-based source code management (SCM) platforms support integration with self-hosted CI/CD solutions through webhooks, which is great for DevOps automation.

However, the benefits can come with security trade-offs.

According to new findings from researchers at Cider, malicious actors can abuse webhooks to access internal resources, run remote code execution (RCE), and possibly obtain reverse shell access.

Webhook IP ranges

Software-as-a-service (SaaS) SCM systems provide an IP range for their webhooks. Organizations must open their networks to these IP ranges to enable integration between the SCM and their self-hosted CI/CD systems.

“We knew the combination of a SaaS source control management system and a self-managed CI with the webhook service IP range allowed towards the CI is a common architecture, and we wanted to check our possibilities there,” Omer Gil, head of research at Cider, told Daily Swig.

Attackers can use webhooks to get past an organization’s firewalls. But SCM webhooks have strict limits, and there is very little room to make modifications to webhook requests.

However, the researchers discovered that with the right changes, they could get beyond the limited endpoints available to SCM webhooks.

Accessing CI/CD endpoints

On the CI/CD side, the researchers ran their experiments on Jenkins, an open-source DevOps server.

“We chose Jenkins since it’s self-hosted and commonly used, but [our findings] can be applied to any system that is accessible from the SCM, like artifact registries for example,” Gil said.

On the SCM side, they tested both GitHub and GitLab. While webhooks have been designed to trigger specific CI endpoints, they could modify requests to direct them to other endpoints that return user data or the console output of pipelines. Nevertheless, limits remain.

“Webhooks are sent as a POST request, which limits the options against the target service, since endpoints used to retrieve data usually only accept the GET parameter,” Gil said. “While it’s not possible to fire a GET request through GitHub, in GitLab it’s a different case, since if the POST request is responded with a redirection, the GitLab webhook service will follow it with sending the GET request.”

Exploiting webhooks

Using GitLab, the researchers were able to use webhooks to combine POST and GET requests to access internal resources. Interestingly, some Jenkins resources are accessible without authentication.

“By default, some resources can be accessed anonymously. Having said that, it’s not very common for an organization to leave it as is – but some do allow anonymous access,” Gil said.

In case authentication was required, the researchers found that they could direct webhooks to the login endpoint and conduct brute-force password attacks against the CI/CD platform. Once authenticated, they obtained a session cookie that could be used to access other resources.

If the Jenkins instance had a vulnerable plugin, the webhook mechanism could exploit it. In the proof-of-concept video above, the researchers show that they could force a vulnerable Jenkins server to download a malicious JAR file, run it on the server, and launch a reverse shell endpoint for the attacker.

This finding is a reminder of the risks created when CI/CD servers are partially open to the internet.

“A hermetic solution is to deny inbound traffic from the SCM webhook service, but it usually comes with engineering costs,” Gil said. “Some countermeasures can be taken, like setting a secure authentication mechanism in the CI, patching, and making sure all actions in the server are saved in the logs.”


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Roisea: Most Advanced Crypto Trading Platform for Bitcoin
Business7 days ago

The Role of Regulation in Crypto Investment: Navigating Legal Frameworks

Volatility in Commodities and How to Deal with It
Business3 weeks ago

Volatility in Commodities and How to Deal with It

Expanding Living Space
Lifestyle2 months ago

Expanding Living Space: Prefabricated Workshop Building Kits for Extra Rooms

BeBe Winans
Lyrics3 months ago

BeBe Winans – It All Comes Down to Love [Lyrics]

BeBe Winans
Music3 months ago

[Music] BeBe Winans – It All Comes Down to Love

The Countdown Begins to the Tournament That Has It All
ANE Football Analytical3 months ago

AFCON 2023: A Sporting Spectacle Set to Captivate the World

Litecoin: What Makes It The Crypto Winner?
Technology4 months ago

Runny Inflation Can Drive Cryptocurrency Adoption

Black and White French Bulldog puppies Frenchie Joy
Lifestyle5 months ago

Black and White French Bulldog puppies Frenchie Joy

3 Serious Reasons to Keep Your Teenager Away From Social Media
Lifestyle5 months ago

3 Serious Reasons to Keep Your Teenager Away From Social Media

Boxing vs MMA What Makes Them So Different
Sports5 months ago

Boxing vs MMA: What Makes Them So Different

Roisea: Most Advanced Crypto Trading Platform for Bitcoin
Technology6 months ago

NFTs and Intellectual Property Rights: Shaping Creative Ownership

The Birth of a Rugby Nation South Africas Love Affair with the Sport
Sports10 months ago

The Birth of a Rugby Nation: South Africa’s Love Affair with the Sport

A Beginner's Guide to Radicle (RAD): The Future of Peer-to-Peer Development
Technology11 months ago

A Beginner’s Guide to Radicle (RAD): The Future of Peer-to-Peer Development

Analysis of Nigeria's Renewable Energy Sector: Opportunities and Challenges
Technology11 months ago

Analysis of Nigeria’s Renewable Energy Sector: Opportunities and Challenges

Casino Gaming Poker
Sports12 months ago

What Are The Various Types Of Online Slots?

Luka Modric celebrates after scoring Real Madrid's second goal against Celta Vigo.
Sports1 year ago

Luka Modric set to join Ronaldo in Saudi Arabia’s Al Nassr

WHO World Health Organization
Health1 year ago

WHO debunks claims that tuberculosis is caused by witchcraft, poison

Atiku Abubakar
News1 year ago

2023 Election: Why DSS must arrest Fani-Kayode – Atiku

PDP Logo Umbrella
News1 year ago

PDP suspends National Chairman

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Final Episode 13)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 12)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 11)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 10)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 09)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 08)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 07)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 06)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 05)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 04)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 03)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 02)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Episode 01)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 year ago

[STORY] THE PASTOR’S DAUGHTER (Complete Episodes)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 16)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 15)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 14)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 13)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 12)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 11)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories1 year ago

[STORY] PAPA LOVES HIS GIRLS (Episode 10)

ANE Billboard Hots