Microservice Security 101

Table of Contents

• Prerequisites
  • NGINX Ingress Controller
  • ELK
  • ELK Log Config
  • Regular expressions Syntax
• HelloWorld
• Filter by Content
• Illegal Request Method
• XFF Injection
• Host Localhost
• Illegal Directory Access
• Weak Password
• Illegal File Extension
• Illegal File Type
• Application Admin Access
• DevOps Meetup Demo

Prerequisites

NGINX Ingress Controller

• https://github.com/nginxinc/kubernetes-ingress

• https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/

For quick deploy, copy deploy.sh to kubernetes-ingress/deployments folder and execute the bash directly.

Quick Deploy

./deploy.sh

Install Verification

$ kubectl get pods -n nginx-ingress --no-headers
nginx-ingress-68d894666b-jsvsr   1/1   Running   0     11h

ELK

• https://github.com/f5devcentral/f5-waf-elk-dashboards

ELK Log Config

APLogConf used for format the security log that send to ELK, which referenced by Ingress Resource.

kubectl apply -f nic/logconf.yaml

Regular expressions Syntax

• https://github.com/google/re2/wiki/Syntax

• RE2 Regular Expression Syntax Example

HelloWorld

1. Deploy Microservice App

kubectl apply -f helloworld/webgoat.yaml

2. Deploy Security Policy

kubectl apply -f helloworld/policy.yaml

3. Deploy APP

kubectl apply -f helloworld/vs.yaml

4. Deploy APP(An Alternative Way)

kubectl apply -f helloworld/ingress.yaml

5. Test

~]# curl "http://microservice-security.101.net:30080/WebGoat/login?<script>"
<html>
  <head>
    <title>Request Rejected</title>
  </head>
  <body>
    The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 7471558104982133347<br><br><a href='javascript:history.back();'>[Go Back]</a>
  </body>
</html>

6. Batch TEST

for i in {1..10} ; do for j in $(cat helloworld/ips) ; do curl -H "X-Forwarded-For: $j" "http://microservice-security.101.net:30080/WebGoat/login?<script>" ; echo ; done ; done

ELK 上可以看到攻击的地理位置分布。

7. Clean up

kubectl delete -f helloworld/policy.yaml
kubectl delete -f helloworld/vs.yaml
kubectl delete -f helloworld/ingress.yaml
kubectl delete -f helloworld/webgoat.yaml

Filter by Content

1. Deploy Microservice App

kubectl apply -f filter-by-content/deploy.yaml

2. Create ELK Log config

kubectl apply -f filter-by-content/logconf.yaml

3. Add Policy

kubectl apply -f filter-by-content/uds.yaml
kubectl apply -f filter-by-content/policy.yaml

4. Deploy Ingress

kubectl apply -f filter-by-content/ingress.yaml

5. TEST

$ curl http://microservice-security.101.net:30080/devops/test123
<html>
   <head>
      <title>Request Rejected</title>
   </head>
   <body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 9268430331525585681<br><br><a href='javascript:history.back();'>[Go Back]</a></body>
</html>

6. Clean up

kubectl delete -f filter-by-content/ingress.yaml
kubectl delete -f filter-by-content/policy.yaml
kubectl delete -f filter-by-content/uds.yaml
kubectl delete -f filter-by-content/logconf.yaml
kubectl delete -f filter-by-content/deploy.yaml

Illegal Request Method

1. Deploy Microservice App

kubectl apply -f illegal-request-method/deploy.yaml

2. Add Policy

kubectl apply -f illegal-request-method/uds.yaml
kubectl apply -f illegal-request-method/policy.yaml

3. Deploy Ingress

kubectl apply -f illegal-request-method/ingress.yaml

4. TEST

$ curl http://microservice-security.101.net:30080/devops/test -X DELETE
<html>
   <head>
      <title>Request Rejected</title>
   </head>
   <body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 9268430331525587211<br><br><a href='javascript:history.back();'>[Go Back]</a></body>
</html>

5. Clean up

kubectl delete -f illegal-request-method/ingress.yaml
kubectl delete -f illegal-request-method/policy.yaml
kubectl delete -f illegal-request-method/uds.yaml
kubectl delete -f illegal-request-method/deploy.yaml

XFF Injection

1. Deploy Microservice App

kubectl apply -f xff-injection/deploy.yaml

2. Add Policy

kubectl apply -f xff-injection/uds.yaml
kubectl apply -f xff-injection/policy.yaml

3. Deploy Ingress

kubectl apply -f xff-injection/ingress.yaml

4. TEST

$ curl -H "X-Forwarded-For: select * from t where 1 =1 " "http://microservice-security.101.net:30080/devops/test"
<html>
   <head>
      <title>Request Rejected</title>
   </head>
   <body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 9268430331525587721<br><br><a href='javascript:history.back();'>[Go Back]</a></body>
</html>

5. Clean up

kubectl delete -f xff-injection/ingress.yaml
kubectl delete -f xff-injection/policy.yaml
kubectl delete -f xff-injection/uds.yaml
kubectl delete -f xff-injection/deploy.yaml

Host Localhost

1. Deploy Microservice App

kubectl apply -f host-validation/deploy.yaml

2. Add Policy

kubectl apply -f host-validation/uds.yaml
kubectl apply -f host-validation/policy.yaml

3. Deploy Ingress

kubectl apply -f host-validation/ingress.yaml

4. TEST

curl -H "Host: localhost" "http://microservice-security.101.net:30080/devops/test"

5. Clean up

kubectl delete -f host-validation/ingress.yaml
kubectl delete -f host-validation/policy.yaml
kubectl delete -f host-validation/uds.yaml
kubectl delete -f host-validation/deploy.yaml

Illegal Directory Access

1. Deploy Microservice App

kubectl apply -f illegal-directory-access/deploy.yaml

2. Add Policy

kubectl apply -f illegal-directory-access/uds.yaml
kubectl apply -f illegal-directory-access/policy.yaml

3. Deploy Ingress

kubectl apply -f illegal-directory-access/ingress.yaml

4. TEST

$ curl http://microservice-security.101.net:30080/devops/uploads/11.jsp
<html>
   <head>
      <title>Request Rejected</title>
   </head>
   <body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 9268430331525657081<br><br><a href='javascript:history.back();'>[Go Back]</a></body>
</html>

5. Clean up

kubectl delete -f illegal-directory-access/ingress.yaml
kubectl delete -f illegal-directory-access/policy.yaml
kubectl delete -f illegal-directory-access/uds.yaml
kubectl delete -f illegal-directory-access/deploy.yaml

Weak Password

1. Deploy Microservice App

kubectl apply -f week-passwd/deploy.yaml

2. Add Policy

kubectl apply -f week-passwd/uds.yaml
kubectl apply -f week-passwd/policy.yaml

3. Deploy Ingress

kubectl apply -f week-passwd/ingress.yaml

4. TEST

$ curl "http://microservice-security.101.net:30080/devops?user=admin&password=default"
<html>
   <head>
      <title>Request Rejected</title>
   </head>
   <body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 9268430331525648921<br><br><a href='javascript:history.back();'>[Go Back]</a></body>
</html>

5. Clean up

kubectl delete -f week-passwd/ingress.yaml
kubectl delete -f week-passwd/policy.yaml
kubectl delete -f week-passwd/uds.yaml
kubectl delete -f week-passwd/deploy.yaml

Illegal File Extension

1. Deploy Microservice App

kubectl apply -f illegal-file-extension/deploy.yaml

2. Add Policy

kubectl apply -f illegal-file-extension/uds.yaml
kubectl apply -f illegal-file-extension/policy.yaml

3. Deploy Ingress

kubectl apply -f illegal-file-extension/ingress.yaml

4. TEST

$ curl "http://microservice-security.101.net:30080/devops/test.db"
<html>
   <head>
      <title>Request Rejected</title>
   </head>
   <body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 9268430331525624951<br><br><a href='javascript:history.back();'>[Go Back]</a></body>
</html>

5. Clean up

kubectl delete -f illegal-file-extension/ingress.yaml
kubectl delete -f illegal-file-extension/policy.yaml
kubectl delete -f illegal-file-extension/uds.yaml
kubectl delete -f illegal-file-extension/deploy.yaml

Illegal File Type

1. Deploy Microservice App

kubectl apply -f illegal-file-type/deploy.yaml

2. Add Policy

kubectl apply -f illegal-file-type/uds.yaml
kubectl apply -f illegal-file-type/policy.yaml

3. Deploy Ingress

kubectl apply -f illegal-file-type/ingress.yaml

4. TEST

$ curl "http://microservice-security.101.net:30080/devops/test.php"
<html>
   <head>
      <title>Request Rejected</title>
   </head>
   <body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 9268430331525625971<br><br><a href='javascript:history.back();'>[Go Back]</a></body>
</html>

5. Clean up

kubectl delete -f illegal-file-type/ingress.yaml
kubectl delete -f illegal-file-type/policy.yaml
kubectl delete -f illegal-file-type/uds.yaml
kubectl delete -f illegal-file-type/deploy.yaml

Application Admin Access

1. Deploy Microservice App

kubectl apply -f application-admin-access/deploy.yaml

2. Add Policy

kubectl apply -f application-admin-access/uds.yaml
kubectl apply -f application-admin-access/policy.yaml

3. Deploy Ingress

kubectl apply -f application-admin-access/ingress.yaml

4. TEST

$ curl http://microservice-security.101.net:30080/redis-admin/redis
<html>
   <head>
      <title>Request Rejected</title>
   </head>
   <body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 17000903267954407182<br><br><a href='javascript:history.back();'>[Go Back]</a></body>
</html>

5. Clean up

kubectl delete -f application-admin-access/ingress.yaml
kubectl delete -f application-admin-access/policy.yaml
kubectl delete -f application-admin-access/uds.yaml
kubectl delete -f application-admin-access/deploy.yaml

DevOps Meetup Demo

1. Deploy Microservice App

kubectl apply -f foo.yaml
kubectl apply -f bar.yaml

2. Add Policy

kubectl apply -f foo-uds.yaml
kubectl apply -f foo-policy.yaml

kubectl apply -f bar-uds.yaml
kubectl apply -f bar-policy.yaml

3. Deploy Ingress

kubectl apply -f foo-ingress.yaml
kubectl apply -f bar-ingress.yaml

4. TEST

./test.sh

5. Clean up

kubectl delete -f foo-ingress.yaml
kubectl delete -f foo-policy.yaml
kubectl delete -f foo-uds.yaml
kubectl delete -f foo.yaml

kubectl delete -f bar-ingress.yaml
kubectl delete -f bar-policy.yaml
kubectl delete -f bar-uds.yaml
kubectl delete -f foo.yaml

**

**