{"id":10397,"date":"2023-01-10T11:02:55","date_gmt":"2023-01-10T11:02:55","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-gisec-hitb2023ams\/"},"modified":"2023-06-29T08:23:45","modified_gmt":"2023-06-29T08:23:45","slug":"attacking-the-application-supply-chain-hitb2023ams","status":"publish","type":"product","link":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/","title":{"rendered":"Attacking the Application Supply-Chain"},"content":{"rendered":"<h2><strong><span style=\"color: #993300;\">REGISTRATION CLOSED<\/span><\/strong><\/h2>\n<h4><strong>DATE: 17-18 April 2023<\/strong><\/h4>\n<h4><strong>TIME: 09:00 to 17:00 CEST\/GMT+2<\/strong><\/h4>\n<table style=\"height: 126px;\" width=\"669\">\n<tbody>\n<tr>\n<td><strong>Date<\/strong><\/td>\n<td><strong>Day<\/strong><\/td>\n<td style=\"text-align: left;\"><strong>Time<\/strong><\/td>\n<td><strong>Duration<\/strong><\/td>\n<\/tr>\n<tr>\n<td>17 Apr<\/td>\n<td>Monday<\/td>\n<td>09:00 to 17:00 CEST\/GMT+2<\/td>\n<td>8 Hours<\/td>\n<\/tr>\n<tr>\n<td>18 Apr<\/td>\n<td>Tuesday<\/td>\n<td>09:00 to 17:00 CEST\/GMT+2<\/td>\n<td>8 Hours<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h5><span style=\"font-size: 16px;\">Supply Chain risks are everywhere. We\u2019ve seen a burst of supply chain exploits against organizations, totaling billions of dollars of value lost. Supply-chain security and implementation is essential, and required by regulation. However, it is important for pentesters and red-teams to understand how they can leverage supply-chain attacks against applications, to further strengthen their defense implementations against it.<\/span><\/h5>\n<p>This training is a deep hands-on, red-team exploration of application supply-chains. We commence with an understanding of application supply chains, and subsequently dive into story-driven scenarios of exploiting supply-chains like exploiting CI systems, build systems.Container infrastructure and cloud-native infrastructure hosted on Kubernetes, AWS and Azure.<\/p>\n<p>People learn better with stories. Our exploit and lateral movement scenarios are intricately designed labs that are backed by real-world stories that help students understand this<br \/>\nsubject-matter a lot better. This training was sold-out at Blackhat USA 2022 with a 4.8\/5 Rating.<\/p>\n<p>&nbsp;<\/p>\n<h4><strong><span dir=\"ltr\" role=\"presentation\">Lab Experience Video<\/span><\/strong><\/h4>\n<p><iframe title=\"AppSecEngineer AWS Included Labs\" width=\"800\" height=\"450\" src=\"https:\/\/www.youtube.com\/embed\/RfvbRzpIhB0?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<p>&nbsp;<\/p>\n<h4><strong>Agenda<\/strong><\/h4>\n<h4><strong>Day 1<\/strong><\/h4>\n<h4>Introduction to Application Supply Chain<\/h4>\n<ul>\n<li>Understanding the supply chain landscape<\/li>\n<li>An overview of supply-chain attack vectors<\/li>\n<li>MITRE ATT&amp;CK framework for supply-chain compromise<\/li>\n<li>A brief history of supply-chain attacks<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h4>Pre-Build Supply Chain Security<\/h4>\n<h5>Threat modeling for supply chain &#8211; A red-team perspective<\/h5>\n<p><strong>Application Dependencies &#8211; Stories and Hands-on Labs<\/strong><\/p>\n<p>This section of the class is where we do a couple of case studies (stories) on identifying vulnerabilities against Application Dependencies and compromising them. Once compromised, we\u2019ll be looking at possibilities of post-exploitation and lateral movement against these dependencies. In these stories, we\u2019ll be showcasing the following type of attacks and exploits:<\/p>\n<ul>\n<li>Attacks against Client-side Dependencies:<\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\">\u25cb Magecart-style and other JavaScript client-side attacks leading to user compromise, browser-hooking and so on<br \/>\n\u25cb Attacking client-side supply chain elements by attacking private CDNs, static stores, etc.<br \/>\n\u25cb Exploring additional client-side exploit possibilities with CSP Bypasses, etc.<br \/>\n\u25cb Attacking CDN infrastructure like Cloudfront and S3 with CSP bypasses to perform client-side supply-chain exploits<\/p>\n<ul>\n<li>Attacking Applications by compromising Server-side dependencies:<\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\">\u25cb Leveraging vulnerable components to perform application exploits and Lateral movement. This includes:<\/p>\n<ul>\n<li>Remote Code Execution<\/li>\n<li>XXE<\/li>\n<li>SSRF flaws<\/li>\n<li>And more to perform exploitation and post-exploitation<\/li>\n<li>Attacking Package Manager Behaviour against the Application Supply-Chain:<\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\">\u25cb Typo-squatting flaws<br \/>\n\u25cb Dependency Confusion attacks<\/p>\n<ul>\n<li>\u00a0Exploring Defense Possibilities against all attack types showcased in the stories and exploring the defense implementations through hands-on labs<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h4>Attacking CI Services<\/h4>\n<h5>Overview of CI Services<\/h5>\n<ul>\n<li>A brief overview of commonly used CI services<\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\">\u25cb Jenkins<br \/>\n\u25cb Bamboo<br \/>\n\u25cb GitHub Actions<br \/>\n\u25cb GitLab CI<\/p>\n<p>&nbsp;<\/p>\n<h5>Attack Stories against CI Systems<\/h5>\n<p>In this section we\u2019ll be covering multiple attacks and exploit scenarios around attacking CI Services. These attacks specifically look at approaches where adversaries compromise the CI tools to be able to inject malicious code or otherwise taint the build process and environments of organizations. The case studies and stories that we\u2019ll cover as part of this module include the following:<\/p>\n<ul>\n<li>\u00a0Build system dependency &#8211; Attack vectors<\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\">\u25cb Cross build Injection attacks<\/p>\n<ul>\n<li>CI Service dependency &#8211; Attack vectors<\/li>\n<li>CI based Webhook exploits<\/li>\n<li>Vulnerabilities and exploits against Jenkins using Jenkins Plugins<\/li>\n<li>Github Actions exploits using malicious actions and misconfigured Github actions<\/li>\n<li>Attacking Gitlab using Templating systems and Dependency chaining<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h4><strong>Day 2<\/strong><\/h4>\n<h5>Cloud-Native Supply Chain Attacks<\/h5>\n<p>Cloud-native environments are a massive source of supply-chain risk. With Infrastructure-as-Code, to Continuous Deployment Systems, to Cloud-native package management, there\u2019s tremendous scope for attacking, exploiting and escalating privileges against cloud-native environments. In this section we\u2019ll be looking at case studies and stories of supply chain security risks against Kubernetes and AWS environments as a reference point. Naturally, these will be replete with deep-dive hands-on labs that will walk you through the multi-step flaws and exploits against cloud-native supply chains<\/p>\n<p>&nbsp;<\/p>\n<h5>Attacks against cloud-native environments<\/h5>\n<ul>\n<li>An overview of cloud and microservices<\/li>\n<li>A brief intro to Cloud-native environments<\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\">\u25cb AWS<br \/>\n\u25cb Azure<br \/>\n\u25cb Cloud<br \/>\n\u25cb Kubernetes &amp; Microservices<\/p>\n<ul>\n<li>Threat landscape in cloud-native environments<\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\">\u25cb Common attack patterns<\/p>\n<p>&nbsp;<\/p>\n<h5>Attacking Kubernetes Supply-Chains<\/h5>\n<ul>\n<li>An overview of kubernetes and cluster components<\/li>\n<li>Attack vectors in a kubernetes cluster<\/li>\n<li>Leveraging vulnerable registry to upload trojanized image(s)<\/li>\n<li>Compromising the cluster network<\/li>\n<li>Helm-Chart based attacks<\/li>\n<li>Performing Person-In-The-Middle attack to compromise package installations<\/li>\n<li>Permanent backdoor to a kubernetes cluster through malicious packages and CRDs<\/li>\n<li>Leveraging Kubernetes Webhooks to perform Cluster Privilege Escalation Attacks<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h5>Compromise AWS environments<\/h5>\n<ul>\n<li>Overview of AWS components<\/li>\n<li>Introduction to AWS Lambda<\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\">\u25cb Understanding layers<\/p>\n<ul>\n<li>Compromising Lambda with excessive privileges<\/li>\n<li>Performing lateral movement to gain access to s3 and manipulating sensitive objects<\/li>\n<li>Compromising cloud environments through malicious executables<\/li>\n<li>Injecting malicious scripts in s3 CDN to mine crypto &#8211; for fun and profit<\/li>\n<li>Attacking ECR registries with faulty IAM privileges<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h5>Compromising Azure Environments with Supply-Chain Attacks<\/h5>\n<ul>\n<li>Understanding the Azure Services and IAM Model<\/li>\n<li>Attacking Azure Function Apps to compromise underlying container infrastructure and escalating privileges into the Azure Account<\/li>\n<li>Attacking Azure DevOps implementations for Account Compromise Scenarios<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>REGISTRATION CLOSED DATE: 17-18 April 2023 TIME: 09:00 to 17:00 CEST\/GMT+2 Date Day Time Duration 17 Apr Monday 09:00 to 17:00 CEST\/GMT+2 8 Hours 18 Apr Tuesday 09:00 to 17:00 CEST\/GMT+2 8 Hours Supply Chain risks are everywhere. We\u2019ve seen a burst of supply chain exploits against organizations, totaling billions of dollars of value lost. [&hellip;]<\/p>\n","protected":false},"featured_media":10396,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false},"product_cat":[58,55,64],"product_tag":[],"class_list":{"0":"post-10397","1":"product","2":"type-product","3":"status-publish","4":"has-post-thumbnail","6":"product_cat-2-day-training","7":"product_cat-hitb2023ams","8":"product_cat-virtual","10":"first","11":"instock","12":"featured","13":"shipping-taxable","14":"purchasable","15":"product-type-simple"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Attacking the Application Supply-Chain - HITBSecConf2023 - Amsterdam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Attacking the Application Supply-Chain - HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"og:description\" content=\"REGISTRATION CLOSED DATE: 17-18 April 2023 TIME: 09:00 to 17:00 CEST\/GMT+2 Date Day Time Duration 17 Apr Monday 09:00 to 17:00 CEST\/GMT+2 8 Hours 18 Apr Tuesday 09:00 to 17:00 CEST\/GMT+2 8 Hours Supply Chain risks are everywhere. We\u2019ve seen a burst of supply chain exploits against organizations, totaling billions of dollars of value lost. [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"article:modified_time\" content=\"2023-06-29T08:23:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/IMG_5539-1300x866-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1300\" \/>\n\t<meta property=\"og:image:height\" content=\"866\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/\",\"name\":\"Attacking the Application Supply-Chain - HITBSecConf2023 - Amsterdam\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/IMG_5539-1300x866-1.jpg\",\"datePublished\":\"2023-01-10T11:02:55+00:00\",\"dateModified\":\"2023-06-29T08:23:45+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/#primaryimage\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/IMG_5539-1300x866-1.jpg\",\"contentUrl\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/IMG_5539-1300x866-1.jpg\",\"width\":1300,\"height\":866},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Products\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/shop\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Attacking the Application Supply-Chain\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\",\"name\":\"HITBSecConf2023 - Amsterdam\",\"description\":\"#HITB2021AMS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Attacking the Application Supply-Chain - HITBSecConf2023 - Amsterdam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/","og_locale":"en_US","og_type":"article","og_title":"Attacking the Application Supply-Chain - HITBSecConf2023 - Amsterdam","og_description":"REGISTRATION CLOSED DATE: 17-18 April 2023 TIME: 09:00 to 17:00 CEST\/GMT+2 Date Day Time Duration 17 Apr Monday 09:00 to 17:00 CEST\/GMT+2 8 Hours 18 Apr Tuesday 09:00 to 17:00 CEST\/GMT+2 8 Hours Supply Chain risks are everywhere. We\u2019ve seen a burst of supply chain exploits against organizations, totaling billions of dollars of value lost. [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/","og_site_name":"HITBSecConf2023 - Amsterdam","article_modified_time":"2023-06-29T08:23:45+00:00","og_image":[{"width":1300,"height":866,"url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/IMG_5539-1300x866-1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/","name":"Attacking the Application Supply-Chain - HITBSecConf2023 - Amsterdam","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website"},"primaryImageOfPage":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/#primaryimage"},"image":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/#primaryimage"},"thumbnailUrl":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/IMG_5539-1300x866-1.jpg","datePublished":"2023-01-10T11:02:55+00:00","dateModified":"2023-06-29T08:23:45+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/#primaryimage","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/IMG_5539-1300x866-1.jpg","contentUrl":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-content\/uploads\/sites\/18\/2023\/01\/IMG_5539-1300x866-1.jpg","width":1300,"height":866},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/product\/attacking-the-application-supply-chain-hitb2023ams\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/"},{"@type":"ListItem","position":2,"name":"Products","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/shop\/"},{"@type":"ListItem","position":3,"name":"Attacking the Application Supply-Chain"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/","name":"HITBSecConf2023 - Amsterdam","description":"#HITB2021AMS","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/product\/10397"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/product"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/types\/product"}],"replies":[{"embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/comments?post=10397"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media\/10396"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media?parent=10397"}],"wp:term":[{"taxonomy":"product_cat","embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/product_cat?post=10397"},{"taxonomy":"product_tag","embeddable":true,"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/product_tag?post=10397"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}