Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Traversing my way in the internal network

Traversing my way in the internal network



July 25, 2021


  1. Traversing my way in the internal network

  2. GET /whoami HTTP/2 Jasmin Landry JR0ch17 …. IT & Security

    Lead Bug Bounty Hunter
  3. GET /agenda HTTP/2 • Monolithic vs Microservices • Attacking web

    applications on a microservices architecture • Examples of vulnerabilities found • Questions
  4. GET /monolithic HTTP/2 *https://www.linkedin.com/pulse/monolithic-vs-micro-services-architecture-animesh-sharma/

  5. GET /monolithic?page=2 HTTP/2 • Limitation in size and complexity •

    Application must be redeployed on each update • Continuous Deployment (CD) is difficult • Difficult to scale • Reliability – Single point of failure
  6. GET /microservices HTTP/2 *https://microservices.io/patterns/microservices.html

  7. GET /microservices?page=2 HTTP/2 • The complexity problem disappears • Each

    service can be developed independently • Each service can be deployed independently – Easier to do CD • Easier to scale
  8. GET /microservices_communication HTTP/2 How does each microservice talk to each

    other? • HTTP is commonly used J • They typically make API calls
  9. GET /attack_surface HTTP/2 • Larger attack surface • Each microservice

    isolated in its own container? • Separate server and IP? • Separate subnet? • Potential vulnerabilities to look for • RCE, of course J • SQL • SSRF • Path Traversal
  10. GET /path_traversal HTTP/2 • Not the typical path traversal vulnerability

    • ../../../../../../etc/passwd • I mean, if I find that it’s definitely cool :D • This is what I mean • Microservices use HTTP to make API calls to each other • They take our user input in the API calls (REST API maybe? J ) • Example vulnerable URL • https://app.domain.com/api/v1/user?id=1337
  11. GET /path_traversal?page=2 HTTP/2 • Example vulnerable URL • https://app.domain.com/api/v1/user?id=1337 •

    Think of how the application is structured • SQL Injection • Path Traversal • Flow of a request • Hacker -> https://app.domain.com/api/v1/user?id=1337 • Microservice -> https://user-service.domain.internal/users/1337 • Content returned to Hacker
  12. GET /path_traversal?page=3 HTTP/2 • Example vulnerable URL • https://app.domain.com/api/v1/user?id=1337 •

    Path Traversal (finally) • Hacker -> https://app.domain.com/api/v1/user?id=1337/../../ • Microservice -> https://user-service.domain.internal/user/1337/../../ • URL normalizes to https://user-service.domain.internal/ • Contents returned to Hacker
  13. GET /keep_in_mind HTTP/2 • The request method can be GET,

    POST, PUT, DELETE, PATCH • Sometimes the microservice will add other details in the request that we need to ignore (or not) • Example microservice request: https://user- service.domain.internal/user/1337/all?admin=false • Only a status code 200 returns the content • https://user-service.domain.internal/user/1337/../../ may fail if the web root is a 404 or 403. • Try and generate as many verbose error messages as possible to gather as much as information as you can about what’s going on
  14. GET /examples/1 HTTP/2 Returned ALL clients’ details -> P!

  15. GET /examples/2 HTTP/2

  16. GET /possibilities HTTP/2 • RCE • SSTI • Secret Token

    Exposed • Exploit known issues in internal services • Jira SSRF • Jenkins RCE • Information Disclosure • Spring Boot Actuator • Admin Access • PII disclosure • PCI data disclosure • Clear text credentials • API and Oauth keys • Open Redirect to pivot to other web applications • CRLF
  17. GET /thanks HTTP/2 Thank you for listening Questions? More questions?

    DMs are open on and