This plugin is only meant for security training. It should not be put used in any production system. It voluntarily contains several vulnerabilities.

To run directly the plugin: mvn hpi:run.

Otherwise, you can compile is using mvn package and then install it on a running Jenkins instance.

This repository is the 2024 edition of the sister repository: https://github.com/Wadeck/emmenthal-plugin.

As this is used as a workshop in India, the name was adjusted to something in the indian cuisine that has holes.

The appam is a type of thin pancake originating from South India and Sri Lanka. It is made with fermented rice batter and coconut milk.

Reference: https://owasp.org/Top10/A01_2021-Broken_Access_Control/ Jenkins documentation: https://www.jenkins.io/doc/developer/security/#what-do-plugins-need-to-do-to-protect-web-methods

• missing
• incorrect
• wrong scope

Reference: https://owasp.org/www-community/attacks/csrf

Reference: https://owasp.org/www-community/attacks/xss/ Jenkins documentation: https://www.jenkins.io/doc/developer/security/xss-prevention/

• stored
• reflected

Reference: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

• SSRF
• secrets theft

Reference: https://owasp.org/www-community/attacks/Path_Traversal

• arbitrary file read

Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html Jenkins documentation: https://www.jenkins.io/doc/developer/security/secrets/

• plain text (any)
• hashed (password)
• encrypted (token)
• timing attack

Reference: https://owasp.org/www-community/attacks/Denial_of_Service

• recursive calls
• regex based

Reference: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

Jenkins documentation: https://github.com/jenkinsci/credentials-plugin/blob/master/docs/consumer.adoc

• incorrect scope (system vs global)
• credentials enumeration
• credentials theft