SlideShare a Scribd company logo

The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities

Download as PPTX, PDF
V
Viktor Gazdag

2019 DevOps World | Jenkins World Lisbon Conference slides. The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities

Technology
1 of 43
The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities Viktor Gazdag
© 2019 All Rights Reserved. 2 Timeline • Who Am I • Goal Of The Talk • Statistics • The Story • The Findings • The Fixes • Report Vulnerability • Related Articles • Q&A
© 2019 All Rights Reserved. 3 Who Am I • Security Consultant at NCC Group • IT Helpdesk, System Administrator, System Engineer • Ethical Hacking Specialist, Security Consultant • 2019 Jenkins Security MVP • CRT, OSCP, eWPT, eWPTX, eMAPT • MCSE 2012, NS0-155 • Travel, Video Games, Security Research
© 2019 All Rights Reserved. 4 Thank You • Jenkins / CloudBees - Daniel Beck • NCC Group - Matt Lewis, Mario Iregui, Bernardo Damele, Jennifer Fernick, Simon Harraghy, Balazs Bucsay • Irene Michlin, Soroush Dalili
© 2019 All Rights Reserved. 5 Goal Of The Talk • Why – Give Back To The Community, Raise Awareness • How – Show The Problems And Fixes • What – Presentation, Blog, Advisories, White Paper*, Tool*
© 2019 All Rights Reserved. 6 Core and Plugin Vulnerabilities By Years • Core And Plugins • SECURITY-* And CVE-* 0 50 100 150 200 250 300 350 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Vulnerabilities and Advisories By Year Vulnerability Advisory
© 2019 All Rights Reserved. 7 The Story • Started With A Project • Continued With A Jenkins Advisory • Triggered By A Second Advisory
© 2019 All Rights Reserved. 8 The Findings • Credentials Stored In Plain Text, CSRF, SSRF, XSS, TLS Certificate Validation Disabled, Missing Permission Check • 15 Advisories, 128 Jenkins Plugin Vulnerabilities and 1 Core Vulnerability, 118 CVEs, 1 CVE Pending, 10 Issues Without CVEs
© 2019 All Rights Reserved. 9 Distribution Of The Vulnerability Types Submitted And Released Findings (2017.11 – 2019.10) 0 10 20 30 40 50 60 70 80 Credentials stored plain text CSRF Missing permission check SSRF with permission check CSRF with permission check TLS certificate validation disabled XSS Core and Plugin Vulnerabilities
© 2019 All Rights Reserved. 10 Findings - Tools • Black Box Test • Burp Suite Pro • Linux • netcat, cat, less, ls, openssl, python, vi • Simple Python program with Self- Signed SSL Certificate • Browser • Looked For Specific Issues
© 2019 All Rights Reserved. 11 The Findings • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 12 The Findings • Credentials Stored In Plain Text • Web Form
© 2019 All Rights Reserved. 13 The Findings • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 14 The Findings • Credentials Stored In Plain Text • Multiple Path • /var/lib/Jenkins/*.xml
© 2019 All Rights Reserved. 15 The Findings • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 16 The Findings • Credentials Stored In Plain Text • Multiple Path • /var/lib/Jenkins/job/TestJob/con fig.xml
© 2019 All Rights Reserved. 17 The Findings • Missing Permission Check
© 2019 All Rights Reserved. 18 The Findings • Cross-Site Request Forgery (CSRF) And Missing Permission Check Allowed Capturing Credentials • “CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.” - OWASP
© 2019 All Rights Reserved. 19 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
© 2019 All Rights Reserved. 20 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
© 2019 All Rights Reserved. 21 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
© 2019 All Rights Reserved. 22 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
© 2019 All Rights Reserved. 23 The Findings • CSRF And Missing Permission Check Lead to Server-Side Request Forgery (SSRF) • “In a SSRF attack the attacker can change a parameter used on the web application to create or control requests from the vulnerable server.” - Netsparker
© 2019 All Rights Reserved. 24 The Findings • CSRF And Missing Permission Check Lead to SSRF
© 2019 All Rights Reserved. 25 The Findings • Cross-Site Scripting (XSS) • Reflected, Stored, DOM • “XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.” - OWASP
© 2019 All Rights Reserved. 26 The Findings • XSS
© 2019 All Rights Reserved. 27 The Findings • XSS
© 2019 All Rights Reserved. 28 The Fixes • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 29 The Fixes • Credentials Stored In Plain Text • Using a Secret Type Offered By Jenkins • 3rd Party Plugin Called Credentials Plugin
© 2019 All Rights Reserved. 30 The Fixes • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 31 The Fixes • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 32 The Fixes • Credentials Stored In Plain Text
© 2019 All Rights Reserved. 33 The Fixes • CSRF
© 2019 All Rights Reserved. 34 The Fixes • CSRF
© 2019 All Rights Reserved. 35 The Fixes • CSRF
© 2019 All Rights Reserved. 36 The Fixes • CSRF
© 2019 All Rights Reserved. 37 The Fixes • Missing Permission Check
© 2019 All Rights Reserved. 38 The Fixes • XSS
© 2019 All Rights Reserved. 39 The Fixes • XSS
© 2019 All Rights Reserved. 40 Report Vulnerability • Where To Report: • Jenkins: https://jenkins.io/security/ • CloudBees: https://www.cloudbees.com/security-policy • Jenkins JIRA: https://issues.jenkins-ci.org/browse/SECURITY • Include The Following: • Check Previous Issues: https://jenkins.io/security/advisories/ • Core And Plugin Version • Description • Reproduction Steps • Proof Of Concept (Screenshots, Console Outputs etc.) • Deadline (Optional)
© 2019 All Rights Reserved. 41 Related Articles • Storing Secret: • On Disk And Configuration Forms: https://jenkins.io/doc/developer/security/secrets/ • CSRF: • Form Validation And CSRF: https://jenkins.io/doc/developer/security/form-validation/ • XSS: • XSS Prevention: https://jenkins.io/doc/developer/security/xss-prevention/ • Other: • Blog Post: https://www.nccgroup.trust/uk/about-us/newsroom-and- events/blogs/2019/may/story-of-a-hundred-vulnerable-jenkins-plugins/ • Teaser Blog Post: https://jenkins.io/blog/2019/11/29/do-plugins-store-credentials-in-a- secure-way/ • Technical Advisory: https://www.nccgroup.trust/uk/our-research/jenkins-plugins-and-core- technical-summary-advisory/?research=Technical+advisories
© 2019 All Rights Reserved. 42 Questions Feel Free To Ask Personally Email viktor.gazdag@nccgroup.com
Thank You

Recommended

Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompson
North Texas Chapter of the ISSA
 
Building RPZ into the Janet Network resolver service
Building RPZ into the Janet Network resolver serviceBuilding RPZ into the Janet Network resolver service
Building RPZ into the Janet Network resolver service
Jisc
 
Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...
Andrew Hammond
 
From Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot DataFrom Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot Data
DefCamp
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native era
Priyanka Aash
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software Technology
Shawn Tuma
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Cloud Security Alliance Lviv Chapter
 

Recommended

Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompson
North Texas Chapter of the ISSA
 
Building RPZ into the Janet Network resolver service
Building RPZ into the Janet Network resolver serviceBuilding RPZ into the Janet Network resolver service
Building RPZ into the Janet Network resolver service
Jisc
 
Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...
Andrew Hammond
 
From Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot DataFrom Mirai to Monero – One Year’s Worth of Honeypot Data
From Mirai to Monero – One Year’s Worth of Honeypot Data
DefCamp
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native era
Priyanka Aash
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software Technology
Shawn Tuma
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Cloud Security Alliance Lviv Chapter
 
Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins Security
Mark Waite
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
Jessica Deen
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds
Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)
Scott Brady
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training developmentDwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Romén Rodríguez-Gil
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
PRISMA CSI
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security Misconception
Matthew Ong
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
Fidelis Cybersecurity
 
Training as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingTraining as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to training
Mark Waite
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scan
Felipe Prado
 
EDB Postgres in Public Sector
EDB Postgres in Public SectorEDB Postgres in Public Sector
EDB Postgres in Public Sector
Kangaroot
 
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the businessCisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Canada
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
Martin Vigo
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 

More Related Content

Similar to The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities

Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins Security
Mark Waite
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
Jessica Deen
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds
Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)
Scott Brady
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training developmentDwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Romén Rodríguez-Gil
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
PRISMA CSI
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security Misconception
Matthew Ong
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
Fidelis Cybersecurity
 
Training as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingTraining as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to training
Mark Waite
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scan
Felipe Prado
 
EDB Postgres in Public Sector
EDB Postgres in Public SectorEDB Postgres in Public Sector
EDB Postgres in Public Sector
Kangaroot
 
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the businessCisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Canada
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
Martin Vigo
 

Similar to The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities (20)

Thinking about Jenkins Security
Thinking about Jenkins SecurityThinking about Jenkins Security
Thinking about Jenkins Security
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds Certificate Pinning: Not as Simple as It Sounds
Certificate Pinning: Not as Simple as It Sounds
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)Leaving Passwords Behind (Software Design & Development 2019)
Leaving Passwords Behind (Software Design & Development 2019)
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
 
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training developmentDwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
Dwjw2019 Lisbon - Training-as-code- applying CI & CD to training development
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security Misconception
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
 
Training as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to trainingTraining as Code - Applying CI/CD to training
Training as Code - Applying CI/CD to training
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scan
 
EDB Postgres in Public Sector
EDB Postgres in Public SectorEDB Postgres in Public Sector
EDB Postgres in Public Sector
 
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the businessCisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
 

Recently uploaded

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 

Recently uploaded (20)

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 

The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities

  • 1. The Story, The Findings And The Fixes Behind More Than A 100 Jenkins Plugins Vulnerabilities Viktor Gazdag
  • 2. © 2019 All Rights Reserved. 2 Timeline • Who Am I • Goal Of The Talk • Statistics • The Story • The Findings • The Fixes • Report Vulnerability • Related Articles • Q&A
  • 3. © 2019 All Rights Reserved. 3 Who Am I • Security Consultant at NCC Group • IT Helpdesk, System Administrator, System Engineer • Ethical Hacking Specialist, Security Consultant • 2019 Jenkins Security MVP • CRT, OSCP, eWPT, eWPTX, eMAPT • MCSE 2012, NS0-155 • Travel, Video Games, Security Research
  • 4. © 2019 All Rights Reserved. 4 Thank You • Jenkins / CloudBees - Daniel Beck • NCC Group - Matt Lewis, Mario Iregui, Bernardo Damele, Jennifer Fernick, Simon Harraghy, Balazs Bucsay • Irene Michlin, Soroush Dalili
  • 5. © 2019 All Rights Reserved. 5 Goal Of The Talk • Why – Give Back To The Community, Raise Awareness • How – Show The Problems And Fixes • What – Presentation, Blog, Advisories, White Paper*, Tool*
  • 6. © 2019 All Rights Reserved. 6 Core and Plugin Vulnerabilities By Years • Core And Plugins • SECURITY-* And CVE-* 0 50 100 150 200 250 300 350 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Vulnerabilities and Advisories By Year Vulnerability Advisory
  • 7. © 2019 All Rights Reserved. 7 The Story • Started With A Project • Continued With A Jenkins Advisory • Triggered By A Second Advisory
  • 8. © 2019 All Rights Reserved. 8 The Findings • Credentials Stored In Plain Text, CSRF, SSRF, XSS, TLS Certificate Validation Disabled, Missing Permission Check • 15 Advisories, 128 Jenkins Plugin Vulnerabilities and 1 Core Vulnerability, 118 CVEs, 1 CVE Pending, 10 Issues Without CVEs
  • 9. © 2019 All Rights Reserved. 9 Distribution Of The Vulnerability Types Submitted And Released Findings (2017.11 – 2019.10) 0 10 20 30 40 50 60 70 80 Credentials stored plain text CSRF Missing permission check SSRF with permission check CSRF with permission check TLS certificate validation disabled XSS Core and Plugin Vulnerabilities
  • 10. © 2019 All Rights Reserved. 10 Findings - Tools • Black Box Test • Burp Suite Pro • Linux • netcat, cat, less, ls, openssl, python, vi • Simple Python program with Self- Signed SSL Certificate • Browser • Looked For Specific Issues
  • 11. © 2019 All Rights Reserved. 11 The Findings • Credentials Stored In Plain Text
  • 12. © 2019 All Rights Reserved. 12 The Findings • Credentials Stored In Plain Text • Web Form
  • 13. © 2019 All Rights Reserved. 13 The Findings • Credentials Stored In Plain Text
  • 14. © 2019 All Rights Reserved. 14 The Findings • Credentials Stored In Plain Text • Multiple Path • /var/lib/Jenkins/*.xml
  • 15. © 2019 All Rights Reserved. 15 The Findings • Credentials Stored In Plain Text
  • 16. © 2019 All Rights Reserved. 16 The Findings • Credentials Stored In Plain Text • Multiple Path • /var/lib/Jenkins/job/TestJob/con fig.xml
  • 17. © 2019 All Rights Reserved. 17 The Findings • Missing Permission Check
  • 18. © 2019 All Rights Reserved. 18 The Findings • Cross-Site Request Forgery (CSRF) And Missing Permission Check Allowed Capturing Credentials • “CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.” - OWASP
  • 19. © 2019 All Rights Reserved. 19 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
  • 20. © 2019 All Rights Reserved. 20 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
  • 21. © 2019 All Rights Reserved. 21 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
  • 22. © 2019 All Rights Reserved. 22 The Findings • CSRF And Missing Permission Check Allowed Capturing Credentials
  • 23. © 2019 All Rights Reserved. 23 The Findings • CSRF And Missing Permission Check Lead to Server-Side Request Forgery (SSRF) • “In a SSRF attack the attacker can change a parameter used on the web application to create or control requests from the vulnerable server.” - Netsparker
  • 24. © 2019 All Rights Reserved. 24 The Findings • CSRF And Missing Permission Check Lead to SSRF
  • 25. © 2019 All Rights Reserved. 25 The Findings • Cross-Site Scripting (XSS) • Reflected, Stored, DOM • “XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.” - OWASP
  • 26. © 2019 All Rights Reserved. 26 The Findings • XSS
  • 27. © 2019 All Rights Reserved. 27 The Findings • XSS
  • 28. © 2019 All Rights Reserved. 28 The Fixes • Credentials Stored In Plain Text
  • 29. © 2019 All Rights Reserved. 29 The Fixes • Credentials Stored In Plain Text • Using a Secret Type Offered By Jenkins • 3rd Party Plugin Called Credentials Plugin
  • 30. © 2019 All Rights Reserved. 30 The Fixes • Credentials Stored In Plain Text
  • 31. © 2019 All Rights Reserved. 31 The Fixes • Credentials Stored In Plain Text
  • 32. © 2019 All Rights Reserved. 32 The Fixes • Credentials Stored In Plain Text
  • 33. © 2019 All Rights Reserved. 33 The Fixes • CSRF
  • 34. © 2019 All Rights Reserved. 34 The Fixes • CSRF
  • 35. © 2019 All Rights Reserved. 35 The Fixes • CSRF
  • 36. © 2019 All Rights Reserved. 36 The Fixes • CSRF
  • 37. © 2019 All Rights Reserved. 37 The Fixes • Missing Permission Check
  • 38. © 2019 All Rights Reserved. 38 The Fixes • XSS
  • 39. © 2019 All Rights Reserved. 39 The Fixes • XSS
  • 40. © 2019 All Rights Reserved. 40 Report Vulnerability • Where To Report: • Jenkins: https://jenkins.io/security/ • CloudBees: https://www.cloudbees.com/security-policy • Jenkins JIRA: https://issues.jenkins-ci.org/browse/SECURITY • Include The Following: • Check Previous Issues: https://jenkins.io/security/advisories/ • Core And Plugin Version • Description • Reproduction Steps • Proof Of Concept (Screenshots, Console Outputs etc.) • Deadline (Optional)
  • 41. © 2019 All Rights Reserved. 41 Related Articles • Storing Secret: • On Disk And Configuration Forms: https://jenkins.io/doc/developer/security/secrets/ • CSRF: • Form Validation And CSRF: https://jenkins.io/doc/developer/security/form-validation/ • XSS: • XSS Prevention: https://jenkins.io/doc/developer/security/xss-prevention/ • Other: • Blog Post: https://www.nccgroup.trust/uk/about-us/newsroom-and- events/blogs/2019/may/story-of-a-hundred-vulnerable-jenkins-plugins/ • Teaser Blog Post: https://jenkins.io/blog/2019/11/29/do-plugins-store-credentials-in-a- secure-way/ • Technical Advisory: https://www.nccgroup.trust/uk/our-research/jenkins-plugins-and-core- technical-summary-advisory/?research=Technical+advisories
  • 42. © 2019 All Rights Reserved. 42 Questions Feel Free To Ask Personally Email viktor.gazdag@nccgroup.com