Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Hacking Jenkins

Hack In The Box Security Conference via YouTube

Overview

Explore the intricacies of hacking Jenkins, the world's most popular CI/CD server, in this comprehensive conference talk from Hack In The Box Security Conference. Dive deep into Jenkins' internal mechanisms and exploitation guidelines, covering dynamic routing misuse, meta-programming abuse, and Groovy sandbox escapes. Learn about a full pre-auth remote code execution exploit chain and discover seven newly found vulnerabilities with CVEs. Gain insights into building custom gadgets and unconventional hacking techniques for Jenkins. Topics covered include JVM ecosystem reports, common attack vectors, past deserialization bugs, Jenkins remoting, Java web review, Stapler's role, routing rules, URL whitelists, compile-time meta-programming, root cause analysis, malicious JAR preparation, remote Jenkins attacks, Shodan survey results, and the evolution of exploit chains.

Syllabus

Intro
Orange Tsai
Outline
JVM ecosystem report 2018
Jenkins for hackers
Common attack vectors
Past deserialization bugs on Jenkins
Jenkins remoting 2.55
Review Java web
What did Stapler do?
Routing rules
URL whitelists by default
compile-time Meta-Programming
Root cause analysis
Prepare the malicious JAR
Attacking remote Jenkins!
Survey on Shodan
Evolution of the exploit
More reliable exploit chain

Taught by

Hack In The Box Security Conference

Reviews

Start your review of Hacking Jenkins

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.