Cloud-based source code management (SCM) platforms support integration with self-hosted CI/CD solutions through webhooks, which is great for DevOps automation.
However, the benefits can come with security trade-offs.
According to new findings from researchers at Cider, malicious actors can abuse webhooks to access internal resources, run remote code execution (RCE), and possibly obtain reverse shell access.
Webhook IP ranges
Software-as-a-service (SaaS) SCM systems provide an IP range for their webhooks. Organizations must open their networks to these IP ranges to enable integration between the SCM and their self-hosted CI/CD systems.
“We knew the combination of a SaaS source control management system and a self-managed CI with the webhook service IP range allowed towards the CI is a common architecture, and we wanted to check our possibilities there,” Omer Gil, head of research at Cider, told Daily Swig.
Attackers can use webhooks to get past an organization’s firewalls. But SCM webhooks have strict limits, and there is very little room to make modifications to webhook requests.
However, the researchers discovered that with the right changes, they could get beyond the limited endpoints available to SCM webhooks.
Accessing CI/CD endpoints
On the CI/CD side, the researchers ran their experiments on Jenkins, an open-source DevOps server.
“We chose Jenkins since it’s self-hosted and commonly used, but [our findings] can be applied to any system that is accessible from the SCM, like artifact registries for example,” Gil said.
On the SCM side, they tested both GitHub and GitLab. While webhooks have been designed to trigger specific CI endpoints, they could modify requests to direct them to other endpoints that return user data or the console output of pipelines. Nevertheless, limits remain.
“Webhooks are sent as a POST request, which limits the options against the target service, since endpoints used to retrieve data usually only accept the GET parameter,” Gil said. “While it’s not possible to fire a GET request through GitHub, in GitLab it’s a different case, since if the POST request is responded with a redirection, the GitLab webhook service will follow it with sending the GET request.”
Using GitLab, the researchers were able to use webhooks to combine POST and GET requests to access internal resources. Interestingly, some Jenkins resources are accessible without authentication.
“By default, some resources can be accessed anonymously. Having said that, it’s not very common for an organization to leave it as is – but some do allow anonymous access,” Gil said.
In case authentication was required, the researchers found that they could direct webhooks to the login endpoint and conduct brute-force password attacks against the CI/CD platform. Once authenticated, they obtained a session cookie that could be used to access other resources.
If the Jenkins instance had a vulnerable plugin, the webhook mechanism could exploit it. In the proof-of-concept video above, the researchers show that they could force a vulnerable Jenkins server to download a malicious JAR file, run it on the server, and launch a reverse shell endpoint for the attacker.
This finding is a reminder of the risks created when CI/CD servers are partially open to the internet.
“A hermetic solution is to deny inbound traffic from the SCM webhook service, but it usually comes with engineering costs,” Gil said. “Some countermeasures can be taken, like setting a secure authentication mechanism in the CI, patching, and making sure all actions in the server are saved in the logs.”
Variation in the Types of Cryptocurrencies
Factors To Consider Before Choosing Bitcoin Exchange
Things You Should Know About Bitcoin Statistics: Future Trends
Bitcoin For Beginners: An Informative Report On The Digital Currency
Oil can’t feed Nigeria anymore – Obasanjo
Sesame Street Icon, Bob McGrath Dies At 90
Sigourney Weaver channelled her own teenage self into role 14-year-old Na’vi Kiri in Avatar: The Way of Water
Kate Winslet was ‘traumatised’ by Titanic – James Cameron
Jude Bellingham defends Liverpool star after England win
Gilberto Silva promises to speak to Edu about signing England star
Harry Kane praises team’s mentality after beating Senegal
Raheem Sterling to leave England’s World Cup camp after armed robbery
Your daily horoscope for Monday, December 5, 2022
NNPC not sincere about oil theft, exaggerating figures – Navy
FIFA World Cup 2022: Giroud and Mbappe break records as France reach World Cup quarter-finals
“I Owe No One Apology For Commending Buhari”: Wike To PDP Members
NCC Reveals List Of Unapproved Phones In Nigerian Markets To Be Avoided
Greetings flow in as Buhari and Aisha celebrate 33 years of marriage
Govs fire back at FG – Don’t blame us, you failed Nigerians
Student apologises to Aisha Buhari, ‘I will change for the better’
Datti charges APC with pitting Obi against Muslims, North
As Obi finally releases manifesto, Labour Party lists 7 priority areas
New album tells the story of different phases in his life – Shawbit
I’ve never fought with E-Money – Kcee
I might accept if Ooni proposes marriage — Peju Johnson
When is Avatar ‘The Way Of Water’ released and what’s the running time?
APC Brooms Burnt In Nasarawa As Members Dump Party
Name govs ‘stealing’ LG funds, Shehu Sani challenges Buhari
US Air Force unveils new B-21 Raider nuclear stealth bomber
Cyril Ramaphosa: South Africa leader won’t resign, says spokesman
2023: Don’t waste your money, Rivers is ‘No-go area’, Wike tells APC
Tyson Fury dominates Derek Chisora in trilogy fight to defend heavyweight title
Denzel Dumfries, Matthijs de Ligt speak out on Chelsea interest
Virgil van Dijk criticizes Man Utd over transfer interest in Cody Gakpo
‘I’m strong’, after been moved to palliative care – Pele
Your weekly tarot horoscope for December 4 to 10
Your daily horoscope for Sunday, December 4, 2022
FIFA World Cup 2022: Messi scores as Argentina reach quarter-finals
Arsenal’s Gabriel Jesus out of World Cup due to knee injury
FIFA World Cup 2022: Netherlands beat USA 3-1 to reach quarter-finals
DOWNLOAD Complete Wednesday (TV series) (2022 film) Season 1 Subtitles File [English SRT] 2022
DOWNLOAD Complete Troll (2022 film) Subtitles File [English SRT] 2022
DOWNLOAD Complete My Name Is Vendetta (2022 film) Subtitles File [English SRT] 2022
[STORY] THE VIRGIN WIFE (Complete Episodes)
[STORY] BEHIND THE FINE FACE (Complete Episodes)
Top 10 Celebrities With Brazilian Butt Lift Surgery (BBL) [PHOTOS]
[Music] Timaya – Sweet Us (As e Dey Sweet Us e Dey Pain Dem)
[STORY] THE VIRGIN WIFE (Episode 06)
[STORY] THE VIRGIN WIFE (Episode 07)
[STORY] THE VIRGIN WIFE (Episode 01)
[STORY] THE VIRGIN WIFE (Episode 12)
[STORY] THE VIRGIN WIFE (Episode 02)
Wizkid about to make history with 2023 London Stadium performance
[STORY] THE VIRGIN WIFE (Episode 10)
[STORY] THE VIRGIN WIFE (Final Episode 13)
[STORY] THE VIRGIN WIFE (Episode 05)
France awarded “Be Honest” by Jorja Smith & Burna Boy a Diamond certification
[STORY] THE VIRGIN WIFE (Episode 08)
[STORY] THE VIRGIN WIFE (Episode 03)
[STORY] THE VIRGIN WIFE (Episode 04)
Your daily horoscope for Thursday, December 1, 2022
[STORY] BEHIND THE FINE FACE (Episode 01)
Top 5 Richest Kid Nigerian Skit Makers And How Their Networth
Kehlani Goes Viral After Flirting With Underage Girl At Concert
[STORY] BEHIND THE FINE FACE (Episode 04)
[STORY] THE VIRGIN WIFE (Episode 11)
[STORY] BEHIND THE FINE FACE (Episode 02)
Antony blames Qatar’s air conditioning for World Cup illness
[STORY] BEHIND THE FINE FACE (Episode 03)
[STORY] THE VIRGIN WIFE (Episode 09)
Timaya – Sweet Us [Lyrics]
[STORY] DIARY OF A PASTOR’S SON (Complete Episodes)
Victoria Chintex assassinated in Kaduna State
Who Manchester United should sign instead of Cody Gakpo – Sven-Goran Eriksson
Chelsea set to sign Andrey Santos in January
[STORY] BEHIND THE FINE FACE (Episode 05)
DOWNLOAD Complete Blood & Water (TV series) (2022 film) Season 3 Subtitles File [English SRT] 2022
[STORY] TIMISIRE THE GOLDEN GIRL (Episode 20)
Buhari Appoints Hairdresser As Boss Of Financial Institution – Lawyers Demand Sack
Cardi B Threatens To Murder Comedian Nicole Arbour’s Mother
ANE Billboard Hots
Technology5 months ago
VoIP Number: Everything You Need To Know
Movie Subtitle2 weeks ago
DOWNLOAD Complete Black Adam (2022 film) Subtitles File [English SRT] 2022
Music3 years ago
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you
Music5 months ago
[Music] Akon – Sorry Blame It On Me
Music5 months ago
Alan Walker – Faded [INSTRUMENTAL]
Music5 months ago
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
Music5 months ago
[INSTRUMENTAL] John Legend – All Of Me
Music5 months ago
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me