Question 1

How does LOTP compare to GTFOBins for security research?

Accepted Answer

LOTP is specifically tailored to CI/CD pipeline tools and RCE-by-design features, while GTFOBins focuses on general Linux binaries for privilege escalation. Both are community-driven, but LOTP addresses supply chain security in development workflows.

Question 2

How can I use LOTP to check if my CI/CD tools are vulnerable?

Accepted Answer

Browse the LOTP inventory on GitHub Pages to see documented tools and their exploitation methods. Cross-reference with your pipeline's toolchain to identify matches, then assess risks and implement mitigations like input validation or tool restrictions.

Question 3

Does LOTP offer any APIs or integrations for automated checking?

Accepted Answer

No, LOTP is a static documentation site without APIs or integrations; for automated scanning, you'd need to build custom scripts based on its data or use dedicated security tools like SAST or DAST solutions.

Question 4

What's the process for contributing a new tool to LOTP?

Accepted Answer

Submit a pull request with the tool's details, including how it can be exploited for RCE, following the contribution guidelines on GitHub. Issues can also be opened for new ideas or discussions.

Question 5

Are the risks in LOTP applicable to cloud-native CI/CD services like GitHub Actions?

Accepted Answer

Yes, many documented tools are commonly used in services like GitHub Actions or GitLab CI; LOTP helps identify risks when these tools process untrusted code changes, which is prevalent in modern CI/CD workflows.

Question 6

How often is LOTP updated with new entries?

Accepted Answer

Updates depend entirely on community contributions via pull requests and issues, so there's no fixed schedule; monitor the GitHub repository for new submissions to stay current.

Living off the pipeline

What is Living off the pipeline?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions