echo "0xHat Security"

Introduction Highly inspired by the work done by the guys at Wiz ( https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities ),  I decided to do some research on the applications that provide PaaS managed services. The areas which I focused on are Coding Platforms Managed Service Platforms Every service provider did their best to ensure the isolation of user data. Some tried via roles and permission, while others tried VM level isolation. While there can be reasons of costs and other valid opinions for choosing options, it should not be forgotten that trial user accounts can be operated by malicious users and they will try to misuse the services for fun or profit. Here we will discuss such few cases Some of these risks are by design and vendors are aware of them. To ensure they are not abused, I will try not to name them. In this blog, I will discuss various classes of exploitations that I was able to perform.  It is very important to note each of the accoun

What is Jenkins Shared Library ? Jenkins shared library is popular where large number of jenkins jobs or pipelines uses a repeated code in pipeline script. The developers creates certain modular functions containing the repetitive code and then reuses across various projects/pipelines/jobs. It is commonly seen in enterprise or organizations where teams work on multiple projects that shares common patterns in every pipelines. Imagine a function to send notifications to Slack about a build passed/failed can be used by many jobs. These shared functions are often kept in some SCM like github and may or maynot be publicly accessible. As they are helper functions and does not carry any customer data/code, the scm repository is usually not private sometimes.  What does the project structure of Jenkins Shared Library looks like? As copied from ( https://www.jenkins.io/doc/book/pipeline/shared-libraries/ ) (root) +- src # Groovy source files | +- org | +- foo |