How we Abused Repository Webhooks to Access Internal CI Systems at Scale


As adoption of CI systems and processes becomes more prevalent, organizations opt for a CI/CD architecture which combines SaaS-based source control management systems (like GitHub or GitLab) with an internal, self-hosted CI solution (e.g. Jenkins, TeamCity). Many organizations using such architectures allow these CI systems to receive webhook events from the SaaS source control vendors, for the simple purpose of triggering pipeline jobs.

To allow the webhook requests to access the internally-hosted CI system, the SaaS-based SCM vendors provide IP ranges from which their webhooks requests arrive, so these ranges can be allowed in the organization’s firewall.

In this blog post, we’ll dive into the potential security pitfalls of this control, and explain why it provides organizations with a false sense of security.
We’ll showcase how anyone on the internet can overcome this IP restriction, access data and even execute code on internal CI systems, and how we did it at scale.

Read more…