Traversing my way in the internal network 

GET /whoami HTTP/2 Jasmin Landry JR0ch17 …. IT & Security Lead Bug Bounty Hunter 

GET /agenda HTTP/2 • Monolithic vs Microservices • Attacking web applications on a microservices architecture • Examples of vulnerabilities found • Questions 

GET /monolithic HTTP/2 *https://www.linkedin.com/pulse/monolithic-vs-micro-services-architecture-animesh-sharma/ 

GET /monolithic?page=2 HTTP/2 • Limitation in size and complexity • Application must be redeployed on each update • Continuous Deployment (CD) is difficult • Difficult to scale • Reliability – Single point of failure 

GET /microservices HTTP/2 *https://microservices.io/patterns/microservices.html 

GET /microservices?page=2 HTTP/2 • The complexity problem disappears • Each service can be developed independently • Each service can be deployed independently – Easier to do CD • Easier to scale 

GET /microservices_communication HTTP/2 How does each microservice talk to each other? • HTTP is commonly used J • They typically make API calls 

GET /attack_surface HTTP/2 • Larger attack surface • Each microservice isolated in its own container? • Separate server and IP? • Separate subnet? • Potential vulnerabilities to look for • RCE, of course J • SQL • SSRF • Path Traversal 

GET /path_traversal HTTP/2 • Not the typical path traversal vulnerability • ../../../../../../etc/passwd • I mean, if I find that it’s definitely cool :D • This is what I mean • Microservices use HTTP to make API calls to each other • They take our user input in the API calls (REST API maybe? J ) • Example vulnerable URL • https://app.domain.com/api/v1/user?id=1337 

GET /path_traversal?page=2 HTTP/2 • Example vulnerable URL • https://app.domain.com/api/v1/user?id=1337 • Think of how the application is structured • SQL Injection • Path Traversal • Flow of a request • Hacker -> https://app.domain.com/api/v1/user?id=1337 • Microservice -> https://user-service.domain.internal/users/1337 • Content returned to Hacker 

GET /path_traversal?page=3 HTTP/2 • Example vulnerable URL • https://app.domain.com/api/v1/user?id=1337 • Path Traversal (finally) • Hacker -> https://app.domain.com/api/v1/user?id=1337/../../ • Microservice -> https://user-service.domain.internal/user/1337/../../ • URL normalizes to https://user-service.domain.internal/ • Contents returned to Hacker 

GET /keep_in_mind HTTP/2 • The request method can be GET, POST, PUT, DELETE, PATCH • Sometimes the microservice will add other details in the request that we need to ignore (or not) • Example microservice request: https://user- service.domain.internal/user/1337/all?admin=false • Only a status code 200 returns the content • https://user-service.domain.internal/user/1337/../../ may fail if the web root is a 404 or 403. • Try and generate as many verbose error messages as possible to gather as much as information as you can about what’s going on 

GET /examples/1 HTTP/2 Returned ALL clients’ details -> P! 

GET /examples/2 HTTP/2 

GET /possibilities HTTP/2 • RCE • SSTI • Secret Token Exposed • Exploit known issues in internal services • Jira SSRF • Jenkins RCE • Information Disclosure • Spring Boot Actuator • Admin Access • PII disclosure • PCI data disclosure • Clear text credentials • API and Oauth keys • Open Redirect to pivot to other web applications • CRLF 

GET /thanks HTTP/2 Thank you for listening Questions? More questions? DMs are open on and