Session at ContainerDay Security 2023 on the 8th of March in Hamburg.
You’ve been hearing a lot about security best practices, but you’re not convinced they can really make a difference? Do you think your resources are safe only because nobody would notice your random IP address? If so – join my session! I’ll show you real-life attack scenarios to convince you that misconfigurations can have dire consequences.
7. xebia.com
Source code
1. Just view the source code J
– Comments
– JavaScript
Step 1
AWS
─ Administrator Access
J
Step 2
HTML – AWS
8. xebia.com
What went wrong?
Code, build, forget, repeat…
Sensitive data left in code
─ “for the next team to let them know how it works”
─ “because that’s how I use variables in my JavaScript”
12. xebia.com
Public GitHub repo
1. Config file with
encrypted variables
2. Java class with a
decrypt function
and.. a secret key
Step 1
GitHub
13. xebia.com
Public GitHub repo
1. Config file with
encrypted variables
2. Java class with a
decrypt function
and.. a secret key
Office365
1. Teams:
─ “Hello CxO J”
2. SharePoint:
─ PDF with a Jira
configuration guide…
─ … including login and
password
Step 1 Step 2
GitHub – Office 365
14. xebia.com
Public GitHub repo
1. Config file with
encrypted variables
2. Java class with a
decrypt function
and.. a secret key
Office365
1. Teams:
─ “Hello CxO J”
2. SharePoint:
─ PDF with a Jira
configuration guide…
─ … including login and
password
Jira
Project “AWS”:
─ Task to create IAM
User for an external
service
─ Plaintext AWS Access
and Secret keys in
comments
Step 1 Step 2 Step 3
GitHub – Office 365 – Jira
15. xebia.com
Public GitHub repo
1. Config file with
encrypted variables
2. Java class with a
decrypt function
and.. a secret key
Office365
1. Teams:
─ “Hello CxO J”
2. SharePoint:
─ PDF with a Jira
configuration guide…
─ … including login and
password
Jira
Project “AWS”:
─ Task to create IAM
User for an external
service
─ Plaintext AWS Access
and Secret keys in
comments
AWS
─ Administrator Access
J
Step 1 Step 2 Step 3 Step 4
GitHub – Office 365 – Jira – AWS
16. xebia.com
─ Config files
─ Encryption keys
─ Git history
Hardcoded
sensitive data
─ To many viewers
─ Valid credentials in
documentation
─ Using own personal/business
account in scripts
Lack of security
awareness
─ Public repository
─ Risky credentials sharing
Bad tools
selection
What went wrong?
18. xebia.com
Symfony Profiler
A publicly available
development tool:
─ Plaintext credentials
in Server Parameters
─ Plaintext credentials
in Requests history
─ parameters.yml
preview
Step 1
Symfony Profiler
20. xebia.com
Symfony Profiler
A publicly available
development tool:
─ Plaintext credentials
in Server Parameters
─ Plaintext credentials
in Requests history
─ parameters.yml
preview
Step 1
Symfony Profiler
21. xebia.com
Symfony Profiler
A publicly available
development tool:
─ Plaintext credentials
in Server Parameters
─ Plaintext credentials
in Requests history
─ parameters.yml
preview
Internal app
1. Admin credentials:
─ Dev Environment
─ Prod Environment
2. SSO to multiple apps:
─ Production CRM
─ Webmail
Step 1 Step 2
Symfony Profiler – Internal Apps
22. xebia.com
Symfony Profiler
A publicly available
development tool:
─ Plaintext credentials
in Server Parameters
─ Plaintext credentials
in Requests history
─ parameters.yml
preview
Internal app
1. Admin credentials:
─ Dev Environment
─ Prod Environment
2. SSO to multiple apps:
─ Production CRM
─ Webmail
Webmail
1. AWS Invoices &
Trusted Advisor emails
2. Reset password for
AWS Root account
Step 1 Step 2 Step 3
Symfony Profiler – Internal Apps
23. xebia.com
Symfony Profiler
A publicly available
development tool:
─ Plaintext credentials
in Server Parameters
─ Plaintext credentials
in Requests history
─ parameters.yml
preview
Internal app
1. Admin credentials:
─ Dev Environment
─ Prod Environment
2. SSO to multiple apps:
─ Production CRM
─ Webmail
Webmail
1. AWS Invoices &
Trusted Advisor emails
2. Reset password for
AWS Root account
AWS Root Account
─ No MFA
─ Organization
Management Account
─ Administrator Access
on all member
accounts
J
Step 1 Step 2 Step 3 Step 4
Symfony Profiler – Internal Apps – AWS
24. xebia.com
─ Prod database on a non-prod
─ Same credentials across
multiple environments
─ A single cloud subscription
for all envs / apps / clients
Prod data on a
non-prod env
─ Not enforced
─ Shared credentials
No MFA
─ “All for one, and one for all”
─ Shared account/password
─ Very old passwords
Critical services using the
same shared email
What went wrong?
26. xebia.com
Kubernetes API
A publicly exposed
Kubernetes API with
disabled RBAC:
─ Base64 Secrets
─ Plaintext ConfigMaps
─ Pods list and
configuration
Step 1
Kubernetes
28. xebia.com
Kubernetes API
A publicly exposed
Kubernetes API with
disabled RBAC:
─ Base64 Secrets
─ Plaintext ConfigMaps
─ Pods list and
configuration
Step 1
Kubernetes
29. xebia.com
Kubernetes API
A publicly exposed
Kubernetes API with
disabled RBAC:
─ Base64 Secrets
─ Plaintext ConfigMaps
─ Pods list and
configuration
K8s Secrets
1. AWS Access Keys:
─ S3 access only
2. Jenkins admin
credentials
Step 1 Step 2
Kubernetes
30. xebia.com
Kubernetes API
A publicly exposed
Kubernetes API with
disabled RBAC:
─ Base64 Secrets
─ Plaintext ConfigMaps
─ Pods list and
configuration
K8s Secrets
1. AWS Access Keys:
─ S3 access only
2. Jenkins admin
credentials
Jenkins app
1. AWS Access Keys in
different Workspaces:
─ SQS access
─ Lambda access
2. GitHub credentials in
Jenkins Credentials
3. AWS CLI calls in jobs
console logs
Step 1 Step 2 Step 3
Kubernetes – Jenkins
31. xebia.com
Kubernetes API
A publicly exposed
Kubernetes API with
disabled RBAC:
─ Base64 Secrets
─ Plaintext ConfigMaps
─ Pods list and
configuration
K8s Secrets
1. AWS Access Keys:
─ S3 access only
2. Jenkins admin
credentials
Jenkins app
1. AWS Access Keys in
different Workspaces:
─ SQS access
─ Lambda access
2. GitHub credentials in
Jenkins Credentials
3. AWS CLI calls in jobs
console logs
Kubectl exec
Bash on Jenkins pod:
─ AWS IAM Role with
Administrator Access
J
Step 1 Step 2 Step 3 Step 4
Kubernetes – Jenkins – AWS
32. xebia.com
─ Lack of knowledge
─ Limited scope of
penetration testing
─ Risky design
Public resources
─ Admin access for all!
─ Unprotected CICD tools
─ Running apps as Root
Principle of
Least Privilege
─ No RBAC
─ Unencrypted data
─ No firewall
Disabled
security features
What went wrong?
42. xebia.com
- Create a public EC2
with IAM Role
- Add a local user to
any running public
EC2
Group 1:
EC2
AWS Backdoors – Ideas
43. xebia.com
- Create a public EC2
with IAM Role
- Add a local user to
any running public
EC2
- Create a new
IAM User
- Create an additional
access/secret key
for any existing
IAM User
Group 1:
EC2
Group 2:
IAM User
AWS Backdoors – Ideas
44. xebia.com
- Create a public EC2
with IAM Role
- Add a local user to
any running public
EC2
- Create a new
IAM User
- Create an additional
access/secret key
for any existing
IAM User
- Trust relation with
an external account
- Create new policy
version
- Replace a role for
any service
Group 1:
EC2
Group 2:
IAM User
Group 3:
IAM Role
AWS Backdoors – Ideas
45. xebia.com
- Create a public EC2
with IAM Role
- Add a local user to
any running public
EC2
- Create a new
IAM User
- Create an additional
access/secret key
for any existing
IAM User
- Trust relation with
an external account
- Create new policy
version
- Replace a role for
any service
- Change / Remove
Security Group
rule(s)
- VPC Peering with a
rogue external VPC
- Transit gateway
attachment
Group 1:
EC2
Group 2:
IAM User
Group 3:
IAM Role
Group 4:
Network access
AWS Backdoors – Ideas
46. xebia.com
― Lambda + CloudWatch / API Gateway / direct link
― Step Functions
― CodeBuild
― PowerUser + IAMFull instead of
AdministratorAccess
― Same context (EC2 keys used on the EC2 only)
AWS Backdoors – Survival
Self-Healing Detection prevention