Conference:  Defcon 31

Authors: Asi Greenholts Security Researcher at Palo Alto Networks

2023-08-01

GitHub is the most popular platform to host Open Source projects therefore, the popularity of their CI/CD platform - GitHub Actions is rising, which makes it an attractive target for attackers. In this talk I’ll show you how an attacker can take advantage of the Custom GitHub Actions ecosystem by infecting one Action to spread malicious code to other Actions and projects by showing you a demo of POC worm. We will start by exploring the ways in which Actions are loosely and implicitly dependent on other Actions. This will allow us to create a dependency tree of Actions that starts from a project that we want to attack and hopefully ends in a vulnerable Action that we can take control of. We will then dive down to how GitHub Actions is working under the hood and I’ll show you how an attacker that is in control of an Action can utilize the mechanism of the GitHub Actions Runner to infect other Actions that are dependent on their Action and eventually infect the targeted project. Finally, after we’ve gained all of the theoretical knowledge I’ll show you a demo with POC malware that is spreading through Actions and we will talk on how to defend against this kind of attack.

Conference:  Global AppSec San Francisco 2022

Authors: Jenko Hwong

2022-11-18

Supply chain identity attacks are not new, for example the Golden SAML attack (Cyberark, 11/2017), which used stolen certificates to spoof SAML responses. Recently, new POC identity attacks have been published such as gaining access to a Facebook account that uses Gmail as the identity provider via OAuth 2.0 (Sammouda, 5/2022), utilizing the chaining of traditional web vulnerabilities such as XSS with the design of the OAuth protocol in order to steal OAuth session tokens. These new attacks pose new challenges for security operations: remotely-enabled attacks by design without need for endpoint compromise, near-permanent access, no need to go through MFA challenges, and incomplete controls for security operations in preventing, detecting, and responding to these attacks.This presentation looks underneath the hood at these more recent attacks that are combining attacks against peculiarities in today's ubiquitous OAuth 2.0 protocol along with traditional web vulnerabilities. We will cover how these attacks work, what's different about them, how OAuth 2.0 is used and abused, and how we must incorporate new controls specific to the protocols involved in order to defend against these attacks.We'll look at what controls or measures are provided by identity vendors such as Microsoft and Google and popular SaaS apps, and look at the cost-benefit of implementing your own controls.This presentation will focus on hands-on demos to illustrate the new attacks as well as efficacy of defensive measures. Slides will focus on security architectures and flows to convey fundamental concepts. Any useful tools or demonstrations will be made available in an open-source repository under 3-Clause BSD licensing.