OWASP Global AppSec Lisbon 2024

In the last few years, exploiting self-hosted Continuous Integration/Continuous Deployment (CI/CD) environments has become highly popular. Security threats have emerged as malicious actors discover and take advantage of vulnerabilities within these systems. Their primary goals are often to insert backdoors into cloud or internal environments, carry out remote command execution on an organization's infrastructure.


During my one-year journey of "poisoning pipelines", I reported to more than 150 leading companies around the globe about how I was able to use this supply chain attack to insert backdoors to companies infrastructure, fetch sensitive secrets, use cloud security credentials and leaked GitHub tokens, which allowed me to push "malicious" code into projects and publish "malicious" releases, without the owner's knowledge or approval.


We will start by exploring poisoned pipeline execution (PPE) attack techniques and the ways in which CI/CD processes allow attackers to inject their modified malicious code, interact with internal components, fetch environment secrets, and hopefully end up in a vulnerable pipeline that we can take control of.


Finally, having covered the theoretical groundwork, I'll demonstrate how such an attack sequence might lead to secret exfiltration and lateral movement from a compromised CI pod to hack internal organizational assets. We will conclude by discussing measures that can be put in place to protect against these types of attacks.