diff --git a/pentesting-ci-cd/terraform-security.md b/pentesting-ci-cd/terraform-security.md
index d294608f6..5cf8b2650 100644
--- a/pentesting-ci-cd/terraform-security.md
+++ b/pentesting-ci-cd/terraform-security.md
@@ -15,7 +15,7 @@ Learn & practice GCP Hacking:  (1).png)
{% endhint %}
-### Basic Information
+## Basic Information
[From the docs:](https://developer.hashicorp.com/terraform/intro)
@@ -43,7 +43,7 @@ Just install terraform in your computer.
Here you have a [guide](https://learn.hashicorp.com/tutorials/terraform/install-cli) and here you have the [best way to download terraform](https://www.terraform.io/downloads).
-### RCE in Terraform
+## RCE in Terraform
Terraform **doesn't have a platform exposing a web page or a network service** we can enumerate, therefore, the only way to compromise terraform is to **be able to add/modify terraform configuration files**.
@@ -59,7 +59,7 @@ Actually, there are solutions out there that **execute terraform plan/apply auto
If you are able to compromise a terraform file there are different ways you can perform RCE when someone executed `terraform plan` or `terraform apply`.
-#### Terraform plan
+### Terraform plan
Terraform plan is the **most used command** in terraform and developers/solutions using terraform call it all the time, so the **easiest way to get RCE** is to make sure you poison a terraform config file that will execute arbitrary commands in a `terraform plan`.
@@ -112,7 +112,7 @@ You can find the rev shell code in [https://github.com/carlospolop/terraform\_ex
* In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
-#### Terraform Apply
+### Terraform Apply
Terraform apply will be executed to apply all the changes, you can also abuse it to obtain RCE injecting **a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
You just need to make sure some payload like the following ones ends in the `main.tf` file:
@@ -135,7 +135,7 @@ resource "null_resource" "rev_shell" {
Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way using external references**.
-### Secrets Dumps
+## Secrets Dumps
You can have **secret values used by terraform dumped** running `terraform apply` by adding to the terraform file something like:
@@ -145,11 +145,11 @@ output "dotoken" {
}
```
-### Abusing Terraform State Files
+## Abusing Terraform State Files
In case you have write access over terraform state files but cannot change the terraform code, [**this research**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) gives some interesting options to take advantage of the file:
-#### Deleting resources
+### Deleting resources
There are 2 ways to destroy resources:
@@ -177,7 +177,7 @@ Because terraform will see that the resource shouldn't exit, it'll destroy it (f
For an EC2 instance, modifying the type of the instance is enough to make terraform delete a recreate it.
-#### RCE
+### RCE
It's also possible to [create a custom provider](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) and just replace one of the providers in the terraform state file for the malicious one or add an empty resource with the malicious provider. Example from the original research:
@@ -217,12 +217,106 @@ data "external" "example" {
}
```
-### Audit Tools
+## Automatic Audit Tools
-* [**tfsec**](https://github.com/aquasecurity/tfsec): tfsec uses static analysis of your terraform code to spot potential misconfigurations.
-* [**terascan**](https://github.com/tenable/terrascan): Terrascan is a static code analyzer for Infrastructure as Code.
+### [**Snyk Infrastructure as Code (IaC)**](https://snyk.io/product/infrastructure-as-code-security/)
-### References
+Snyk offers a comprehensive Infrastructure as Code (IaC) scanning solution that detects vulnerabilities and misconfigurations in Terraform, CloudFormation, Kubernetes, and other IaC formats.
+
+* **Features:**
+ * Real-time scanning for security vulnerabilities and compliance issues.
+ * Integration with version control systems (GitHub, GitLab, Bitbucket).
+ * Automated fix pull requests.
+ * Detailed remediation advice.
+* **Sign Up:** Create an account on [Snyk](https://snyk.io/).
+
+```bash
+brew tap snyk/tap
+brew install snyk
+snyk auth
+snyk iac test /path/to/terraform/code
+```
+
+### [Checkov](https://github.com/bridgecrewio/checkov)
+
+**Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.
+
+It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), or [OpenTofu](https://opentofu.org/) and detects security and compliance misconfigurations using graph-based scanning.
+
+It performs [Software Composition Analysis (SCA) scanning](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).
+
+```bash
+pip install checkov
+checkov -d /path/to/folder
+```
+
+### [terraform-compliance](https://github.com/terraform-compliance/cli)
+
+From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
+
+* **compliance:** Ensure the implemented code is following security standards, your own custom standards
+* **behaviour driven development:** We have BDD for nearly everything, why not for IaC ?
+* **portable:** just install it from `pip` or run it via `docker`. See [Installation](https://terraform-compliance.com/pages/installation/)
+* **pre-deploy:** it validates your code before it is deployed
+* **easy to integrate:** it can run in your pipeline (or in git hooks) to ensure all deployments are validated.
+* **segregation of duty:** you can keep your tests in a different repository where a separate team is responsible.
+
+{% hint style="info" %}
+Unfortunately if the code is using some providers you don't have access to you won't be able to perform the `terraform plan` and run this tool.
+{% endhint %}
+
+```bash
+pip install terraform-compliance
+terraform plan -out=plan.out
+terraform-compliance -f /path/to/folder
+```
+
+### [tfsec](https://github.com/aquasecurity/tfsec)
+
+From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec uses static analysis of your terraform code to spot potential misconfigurations.
+
+* ☁️ Checks for misconfigurations across all major (and some minor) cloud providers
+* ⛔ Hundreds of built-in rules
+* 🪆 Scans modules (local and remote)
+* ➕ Evaluates HCL expressions as well as literal values
+* ↪️ Evaluates Terraform functions e.g. `concat()`
+* 🔗 Evaluates relationships between Terraform resources
+* 🧰 Compatible with the Terraform CDK
+* 🙅 Applies (and embellishes) user-defined Rego policies
+* 📃 Supports multiple output formats: lovely (default), JSON, SARIF, CSV, CheckStyle, JUnit, text, Gif.
+* 🛠️ Configurable (via CLI flags and/or config file)
+* ⚡ Very fast, capable of quickly scanning huge repositories
+
+```bash
+brew install tfsec
+tfsec /path/to/folder
+```
+
+### [KICKS](https://github.com/Checkmarx/kics)
+
+Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with **KICS** by Checkmarx.
+
+**KICS** stands for **K**eeping **I**nfrastructure as **C**ode **S**ecure, it is open source and is a must-have for any cloud native project.
+
+```bash
+docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path -o "/path/"
+```
+
+### [Terrascan](https://github.com/tenable/terrascan)
+
+From the [**docs**](https://github.com/tenable/terrascan): Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to:
+
+* Seamlessly scan infrastructure as code for misconfigurations.
+* Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
+* Detect security vulnerabilities and compliance violations.
+* Mitigate risks before provisioning cloud native infrastructure.
+* Offers flexibility to run locally or integrate with your CI\CD.
+
+```bash
+brew install terrascan
+```
+
+## References
* [Atlantis Security](atlantis-security.md)
* [https://alex.kaskaso.li/post/terraform-plan-rce](https://alex.kaskaso.li/post/terraform-plan-rce)