Jenkins Attack Framework
A command-line tool for security testing and offensive operations against Jenkins CI/CD servers.
What is Jenkins Attack Framework?
Jenkins Attack Framework (JAF) is a security assessment tool designed for offensive operations against Jenkins CI/CD servers. It enables security professionals to test credentials, dump stored secrets, execute system commands, manage jobs, and perform various other security tests to identify vulnerabilities and misconfigurations in Jenkins deployments.
Penetration testers, red teamers, and security researchers who need to assess the security of Jenkins CI/CD servers during authorized security assessments.
JAF provides a comprehensive, command-line tool specifically tailored for Jenkins security testing, offering features like ghost job execution, credential dumping via multiple methods, and detailed access checking that aren't available in generic security tools.
Overview
The Jenkins Attack Framework (JAF) is a security assessment tool designed to test and exploit Jenkins CI/CD servers. It provides penetration testers and security researchers with a comprehensive suite of operations to evaluate Jenkins security posture, identify misconfigurations, and demonstrate attack vectors.
Key Features
- AccessCheck — Heuristically tests credentials and provides a rough overview of user access levels.
- Credential Dumping — Extracts stored credentials via administrative console or job creation with explicit enumeration.
- Job Management — Lists, deletes, and runs jobs, including "ghost jobs" that don't appear in Jenkins after launch.
- API Token Operations — Creates, lists, and deletes API tokens for current or other users (with admin access).
- System Command Execution — Runs system commands and Groovy scripts via the Jenkins script console.
- File Upload — Uploads files to Jenkins servers via chunked base64 encoding through the console.
- Console Output Retrieval — Dumps console output from job builds, including failed builds and multiple attempts.
- User Enumeration — Identifies authenticated user roles and domain groups via the Jenkins API.
Philosophy
JAF is built as a modular, command-line-first tool that prioritizes operational security and flexibility for security professionals conducting authorized assessments.
Related Projects
Found a gem we're missing?
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.
