GitHub Actions Attack Diagram Logo

GitHub Actions Attack Diagram

0
Free
Visit Website

The GitHub Actions Attack Diagram is a visual guide for identifying and exploiting vulnerabilities in GitHub Actions configurations. It outlines various attack paths, starting from read-only or write access to a GitHub organization or repository. The diagram covers multiple attack vectors, including: 1. Self-hosted runner takeover 2. PWN requests 3. Secrets exfiltration It provides links to additional resources for context and is based on real-world red team engagements and public vulnerability research. The diagram focuses on major attack paths and Tactics, Techniques, and Procedures (TTPs) that have been successfully used in live environments. While not exhaustive, the tool serves as a reference for security professionals to understand and mitigate potential risks in GitHub Actions workflows. It also includes references to related research presentations and blog posts detailing real-world exploits of CI/CD vulnerabilities.

FEATURES

ALTERNATIVES

Pacu is an open-source AWS exploitation framework for offensive security testing against cloud environments.

A tool for iOS pentesting and research with a GUI version available.

Darkarmour is a Windows AV evasion tool that helps bypass antivirus software, allowing for the creation of undetectable malware.

Using Apache mod_rewrite rules to rewrite incident responder or security appliance requests to an innocuous website or the target's real website.

Local pentest lab using docker compose to spin up victim and attacker services.

A Python-based tool for identifying and exploiting file inclusion and directory traversal vulnerabilities in web applications.

Comprehensive host-survey tool for security checks in C#.

A collection of tips and tricks for container and container orchestration hacking

PINNED