Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Traversing my way in the internal network

JR0ch17
July 25, 2021

Traversing my way in the internal network

JR0ch17

July 25, 2021
Tweet

More Decks by JR0ch17

Other Decks in Technology

Transcript

  1. GET /agenda HTTP/2 • Monolithic vs Microservices • Attacking web

    applications on a microservices architecture • Examples of vulnerabilities found • Questions
  2. GET /monolithic?page=2 HTTP/2 • Limitation in size and complexity •

    Application must be redeployed on each update • Continuous Deployment (CD) is difficult • Difficult to scale • Reliability – Single point of failure
  3. GET /microservices?page=2 HTTP/2 • The complexity problem disappears • Each

    service can be developed independently • Each service can be deployed independently – Easier to do CD • Easier to scale
  4. GET /microservices_communication HTTP/2 How does each microservice talk to each

    other? • HTTP is commonly used J • They typically make API calls
  5. GET /attack_surface HTTP/2 • Larger attack surface • Each microservice

    isolated in its own container? • Separate server and IP? • Separate subnet? • Potential vulnerabilities to look for • RCE, of course J • SQL • SSRF • Path Traversal
  6. GET /path_traversal HTTP/2 • Not the typical path traversal vulnerability

    • ../../../../../../etc/passwd • I mean, if I find that it’s definitely cool :D • This is what I mean • Microservices use HTTP to make API calls to each other • They take our user input in the API calls (REST API maybe? J ) • Example vulnerable URL • https://app.domain.com/api/v1/user?id=1337
  7. GET /path_traversal?page=2 HTTP/2 • Example vulnerable URL • https://app.domain.com/api/v1/user?id=1337 •

    Think of how the application is structured • SQL Injection • Path Traversal • Flow of a request • Hacker -> https://app.domain.com/api/v1/user?id=1337 • Microservice -> https://user-service.domain.internal/users/1337 • Content returned to Hacker
  8. GET /path_traversal?page=3 HTTP/2 • Example vulnerable URL • https://app.domain.com/api/v1/user?id=1337 •

    Path Traversal (finally) • Hacker -> https://app.domain.com/api/v1/user?id=1337/../../ • Microservice -> https://user-service.domain.internal/user/1337/../../ • URL normalizes to https://user-service.domain.internal/ • Contents returned to Hacker
  9. GET /keep_in_mind HTTP/2 • The request method can be GET,

    POST, PUT, DELETE, PATCH • Sometimes the microservice will add other details in the request that we need to ignore (or not) • Example microservice request: https://user- service.domain.internal/user/1337/all?admin=false • Only a status code 200 returns the content • https://user-service.domain.internal/user/1337/../../ may fail if the web root is a 404 or 403. • Try and generate as many verbose error messages as possible to gather as much as information as you can about what’s going on
  10. GET /possibilities HTTP/2 • RCE • SSTI • Secret Token

    Exposed • Exploit known issues in internal services • Jira SSRF • Jenkins RCE • Information Disclosure • Spring Boot Actuator • Admin Access • PII disclosure • PCI data disclosure • Clear text credentials • API and Oauth keys • Open Redirect to pivot to other web applications • CRLF