This plugin is only meant for security training. It should not be put used in any production system. It voluntarily contains several vulnerabilities.
To run directly the plugin: mvn hpi:run
.
Otherwise, you can compile is using mvn package
and then install it on a running Jenkins instance.
This repository is the 2024 edition of the sister repository: https://github.com/Wadeck/emmenthal-plugin.
As this is used as a workshop in India, the name was adjusted to something in the indian cuisine that has holes.
The appam is a type of thin pancake originating from South India and Sri Lanka. It is made with fermented rice batter and coconut milk.
Reference: https://owasp.org/Top10/A01_2021-Broken_Access_Control/ Jenkins documentation: https://www.jenkins.io/doc/developer/security/#what-do-plugins-need-to-do-to-protect-web-methods
- missing
- incorrect
- wrong scope
Reference: https://owasp.org/www-community/attacks/csrf
Reference: https://owasp.org/www-community/attacks/xss/ Jenkins documentation: https://www.jenkins.io/doc/developer/security/xss-prevention/
- stored
- reflected
Reference: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
- SSRF
- secrets theft
Reference: https://owasp.org/www-community/attacks/Path_Traversal
- arbitrary file read
Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html Jenkins documentation: https://www.jenkins.io/doc/developer/security/secrets/
- plain text (any)
- hashed (password)
- encrypted (token)
- timing attack
Reference: https://owasp.org/www-community/attacks/Denial_of_Service
- recursive calls
- regex based
Reference: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
Jenkins documentation: https://github.com/jenkinsci/credentials-plugin/blob/master/docs/consumer.adoc
- incorrect scope (system vs global)
- credentials enumeration
- credentials theft