SlideShare una empresa de Scribd logo

Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen

Greg Castle
Greg Castle

https://kccna18.sched.com/event/GrZf/shopifys-25k-bug-report-and-the-cluster-takeover-that-didnt-happen-greg-castle-google-shane-lawrence-shopify https://youtu.be/2XCm7vveU5A

Internet
1 de 50
Descargar para leer sin conexión
Shopify’s $25K Bug Report and the cluster takeover that didn’t happen Shane Lawrence Security Infrastructure Engineer Twitter: @shaneplawrence Github: @shane-lawrence Shopify Greg Castle GKE Security Tech Lead Twitter: @mrgcastle Github: @destijl Google North America 2018
A production security story Introduction Bug report Detection TakeawaysExchange Attack & defense
Introduction
Who is shopify.com? 2017 data Shopify’s background 600K+ merchants 26B+ $processed 80K+ requests per second peak traffic
Shopify cloud platform • Scalable • Application developers don’t need to learn k8 • Self-serve with guardrails & paved roads • Security*** by default
Shopify’s bug bounty programs •   330+ hackers over 3+ years •   Merchants and buyers protected •   $1,000,000+ paid •   hackerone.com/shopify
Bug report
Security report and responses 7:39pm Report (goo.gl/dqynDa) from André Baptista (0xacb): vuln in Exchange app 7:50pm Incident declared 8:00pm Cloudsec and app dev teams contacted 8:43pm Merged commit to disable vulnerable feature 9:27pm Investigation and cleanup started (rotate credentials, contact Google, investigate logs) 1 hour
Exchange
Image of page Request screenshot Request storefront What is Exchange? Marketplace for buying & selling stores Webpage 3. Test store Test store frontpage 2. Screenshot service Headless browser 1. Exchange app Create listing Screenshots
Attack & defense
cluster control X kubeletkube-env Google service account token SSRF The attack Security researcher
Server Side Request Forgery (SSRF)
Attack: Weaponize SSRF Existing workflow Image of page Request screenshot Request storefront 2. Screenshot service Headless browser 1. Exchange app Create listing Screenshots Webpage 4. Metadata service 3. Test store Test store frontpage
Webpage 4. Metadata service 1. Exchange app Create listing Screenshots Request screenshot Request storefront 3. Test store Exploit page 2. Screenshot service Headless browser Attack: Weaponize SSRF Got token for the VM’s Google service account
Request token 4. Metadata server Default SA token v1 Attack: Weaponize SSRF Got token for the VM’s Google service account 1. Exchange app Create listing Screenshots Webpage Request storefront 3. Test store Exploit page 2. Screenshot service Headless browser Request screenshot
Sidebar: What is this Google SA? Node (VM) Metadata server Service account Pod Token Token Google APIs
Demo Token attack
403: header required 4. Metadata server Default SA token v1 1. Exchange app Create listing Screenshots Defense: Require header Metadata server requires header: Metadata-Flavor: Google Webpage Request storefront 3. Test store Exploit page Request screenshot 2. Screenshot service Headless browser
Token 4. Metadata server Default SA token v1 v1beta1 1. Exchange app Create listing Screenshots Attack: Use old API version Beta API: no request header required :( Webpage Request storefront 3. Test store Exploit page Request screenshot 2. Screenshot service Headless browser Image of token
Defense: Disable old API versions • Beta API known issue: APIs still in use • Disabled by default in new 1.12+ clusters • Opt-in now: “disable-legacy-endpoints=true” • goo.gl/JsdJbL for details
Defense: Least priv on token • Default SA least privilege from 1.10+ • May vary if users have granted extra privs • Shopify had minimal privs for log/mon/debug • Token not useful to researcher
5. Metadata server Default SA token v1 v1beta1 kube-env Request screenshot Request storefront Webpage 2. Screenshot service Headless browser kube-env 1. Exchange app Create listing Screenshots Attack: What other metadata? Metadata server = trust bootstrap for nodes Export static key from “kube-env” Image of kube-env 3. Test store Exploit page
Demo kube-env attack
Attack: Kubelet bootstrap key Kube-env Security researcher machine CA.crt client.crt client.pem GKE K8s API Server kubectl
Request screenshot Request storefront Defense: Metadata concealment Now: metadata concealment (Beta) goo.gl/u6rrMT Future: K8s TPM trust bootstrap Webpage 3. Test store Exploit page 2. Screenshot service Headless browser 403 Forbidden 4. Metadata proxy Whitelist/blacklist 1. Exchange app Create listing Screenshots 5. Metadata server Default SA token v1 v1beta1 kube-env
Defense: Minimize kubelet privs • RBAC on (ABAC off): GKE default • Node Authorization on: GKE default • Audit role bindings: GKE “kubelet-cluster-admin” (not actually cluster admin) binding if upgraded cluster https://kubernetes.io/docs/tasks/administer-clus ter/securing-a-cluster/
Demo Defenses
Detection
What’s in the logs? • K8s API audit logs: goo.gl/d8YebH • Content depends on audit policy • GKE: g.co/gke/auditlogging
Filter logs for kubelet user
Filter logs for kubelet user
Create deployment failed
Create deployment
Exec into exchange pod
Exec into exchange pod
Node CSR creation
Takeaways
Shopify’s response 1 day • Disable vulnerable service. • Start rotating credentials. • Pay $ to researcher. 1 week • Analyze audit logs. • Clean up RBAC. 1 month • Prevent unwanted redirects. • Re-enable screenshot service. • Deploy metadata proxy. • Pay $$$ to researcher. • Disclose vulnerability.
Lessons learned: K8s advice • Follow cloud provider hardening advice (GKE: g.co/gke/hardening) • Block off/filter access to any privileged network endpoints • Run RBAC and Node Authorization (GKE default) • Apply least privilege for K8s service accounts • Audit role bindings, especially upgraded clusters • Collect API logs and have them available to query (GKE default)
Links and references Shopify bug bounty: hackerone.com/shopify Bug report details: goo.gl/dqynDa GKE disable old APIs: goo.gl/JsdJbL GKE metadata conceal: goo.gl/u6rrMT K8s API audit logs: goo.gl/d8YebH GKE logging: g.co/gke/auditlogging Shane Lawrence Security Infrastructure Engineer Twitter: @shaneplawrence Github: @shane-lawrence Shopify Greg Castle GKE Security Tech Lead Twitter: @mrgcastle Github: @destijl Google
Thank you
Reference Log queries
Example log queries • Broad strokes to get you started • No standard language for queries like this • SQL seems most standard • But includes some BigQuery-isms for unpacking repeated fields • Validation/tweaking on production clusters needed • Mostly intended to point out interesting values and fields
RBAC Changes (excl system) SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.methodName LIKE " io.k8s.authorization.rbac.v1%" AND NOT protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:%" LIMIT 100 Similarly, use these methodName strings for specific changes to roles or bindings: “io.k8s.authorization.rbac.v1.roles.%” “io.k8s.authorization.rbac.v1.rolebindings.%” “io.k8s.authorization.rbac.v1.clusterroles.%” “io.k8s.authorization.rbac.v1.clusterrolebindings.%”
Creating CSRs via K8s API SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protoPayload_auditlog.resourceName LIKE "certificates.k8s.io/v1beta1/certificatesigningrequests%" LIMIT 100
Unauth’d web requests SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail = " system:anonymous" LIMIT 100
Kubelet bootstrap identity calls (GKE specific) SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " kubelet" LIMIT 100
Node authenticated requests SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:node%" LIMIT 100
Calls outside IP range SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE NOT protopayload_auditlog.requestMetadata. callerIp="127.0.0.1" AND NOT protopayload_auditlog.requestMetadata. callerIp="::1" AND protopayload_auditlog.requestMetadata. callerIp NOT LIKE "8.8%" LIMIT 100

Recomendados

Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decompositionKaty Anton
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedTorsten Lodderstedt
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Security Conference
 
Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Beau Bullock
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorTravelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorBeau Bullock
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 

Recomendados

Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decompositionKaty Anton
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedTorsten Lodderstedt
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Security Conference
 
Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Beau Bullock
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorTravelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorBeau Bullock
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azureMichele Leroux Bustamante
 
The Power of Social Login
The Power of Social LoginThe Power of Social Login
The Power of Social LoginMichele Leroux Bustamante
 
Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldPricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldMichele Leroux Bustamante
 
BHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTBHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTDouglas Bienstock
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentRoy Kim
 
Windows Azure Essentials V3
Windows Azure Essentials V3Windows Azure Essentials V3
Windows Azure Essentials V3Michele Leroux Bustamante
 
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris GoosenO365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris GoosenNCCOMMS
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Stormpath
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Instant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootInstant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootStormpath
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOPeter Selch Dahl
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Stormpath
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Douglas Bienstock
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Markus Schlichting
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Exploring Google APIs with Python
Exploring Google APIs with PythonExploring Google APIs with Python
Exploring Google APIs with Pythonwesley chun
 

Más contenido relacionado

La actualidad más candente

Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldPricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldMichele Leroux Bustamante
 
BHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTBHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTDouglas Bienstock
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentRoy Kim
 
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris GoosenO365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris GoosenNCCOMMS
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Stormpath
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Instant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootInstant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootStormpath
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOPeter Selch Dahl
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Stormpath
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Douglas Bienstock
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Markus Schlichting
 

La actualidad más candente (20)

Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azure
 
The Power of Social Login
The Power of Social LoginThe Power of Social Login
The Power of Social Login
 
Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldPricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric World
 
BHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTBHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APT
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
 
Windows Azure Essentials V3
Windows Azure Essentials V3Windows Azure Essentials V3
Windows Azure Essentials V3
 
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris GoosenO365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Instant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootInstant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring Boot
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)
 

Similar a Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen

API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Exploring Google APIs with Python
Exploring Google APIs with PythonExploring Google APIs with Python
Exploring Google APIs with Pythonwesley chun
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...3camp
 
The journey of Moving from AWS ELK to GCP Data Pipeline
The journey of Moving from AWS ELK to GCP Data PipelineThe journey of Moving from AWS ELK to GCP Data Pipeline
The journey of Moving from AWS ELK to GCP Data PipelineRandy Huang
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APIDavid Keener
 
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...Jonathan Barton
 
App Engine Overview Cloud Futures Publish
App Engine Overview Cloud Futures PublishApp Engine Overview Cloud Futures Publish
App Engine Overview Cloud Futures PublishChris Schalk
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
 
Gimel at Dataworks Summit San Jose 2018
Gimel at Dataworks Summit San Jose 2018Gimel at Dataworks Summit San Jose 2018
Gimel at Dataworks Summit San Jose 2018Romit Mehta
 
Dataworks | 2018-06-20 | Gimel data platform
Dataworks | 2018-06-20 | Gimel data platformDataworks | 2018-06-20 | Gimel data platform
Dataworks | 2018-06-20 | Gimel data platformDeepak Chandramouli
 
Introduction to Google's Cloud Technologies
Introduction to Google's Cloud TechnologiesIntroduction to Google's Cloud Technologies
Introduction to Google's Cloud TechnologiesChris Schalk
 
Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?Greg Castle
 
The Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingThe Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingBitbar
 
What's new in App Engine and intro to App Engine for Business
What's new in App Engine and intro to App Engine for BusinessWhat's new in App Engine and intro to App Engine for Business
What's new in App Engine and intro to App Engine for BusinessChris Schalk
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudRevelation Technologies
 
04/2010 - Google App Engine
04/2010 - Google App Engine04/2010 - Google App Engine
04/2010 - Google App Enginedaveayan
 
Introduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform TechnologiesIntroduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform TechnologiesChris Schalk
 
Javaedge 2010-cschalk
Javaedge 2010-cschalkJavaedge 2010-cschalk
Javaedge 2010-cschalkChris Schalk
 

Similar a Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen (20)

API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Exploring Google APIs with Python
Exploring Google APIs with PythonExploring Google APIs with Python
Exploring Google APIs with Python
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
 
The journey of Moving from AWS ELK to GCP Data Pipeline
The journey of Moving from AWS ELK to GCP Data PipelineThe journey of Moving from AWS ELK to GCP Data Pipeline
The journey of Moving from AWS ELK to GCP Data Pipeline
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services API
 
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
 
App Engine Overview Cloud Futures Publish
App Engine Overview Cloud Futures PublishApp Engine Overview Cloud Futures Publish
App Engine Overview Cloud Futures Publish
 
Scale By The Bay | 2020 | Gimel
Scale By The Bay | 2020 | GimelScale By The Bay | 2020 | Gimel
Scale By The Bay | 2020 | Gimel
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
 
Gimel at Dataworks Summit San Jose 2018
Gimel at Dataworks Summit San Jose 2018Gimel at Dataworks Summit San Jose 2018
Gimel at Dataworks Summit San Jose 2018
 
Dataworks | 2018-06-20 | Gimel data platform
Dataworks | 2018-06-20 | Gimel data platformDataworks | 2018-06-20 | Gimel data platform
Dataworks | 2018-06-20 | Gimel data platform
 
Introduction to Google's Cloud Technologies
Introduction to Google's Cloud TechnologiesIntroduction to Google's Cloud Technologies
Introduction to Google's Cloud Technologies
 
Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?
 
The Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingThe Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and Testing
 
What's new in App Engine and intro to App Engine for Business
What's new in App Engine and intro to App Engine for BusinessWhat's new in App Engine and intro to App Engine for Business
What's new in App Engine and intro to App Engine for Business
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
 
04/2010 - Google App Engine
04/2010 - Google App Engine04/2010 - Google App Engine
04/2010 - Google App Engine
 
Introduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform TechnologiesIntroduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform Technologies
 
Javaedge 2010-cschalk
Javaedge 2010-cschalkJavaedge 2010-cschalk
Javaedge 2010-cschalk
 

Último

SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 

Último (20)

SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 

Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen

  • 1. Shopify’s $25K Bug Report and the cluster takeover that didn’t happen Shane Lawrence Security Infrastructure Engineer Twitter: @shaneplawrence Github: @shane-lawrence Shopify Greg Castle GKE Security Tech Lead Twitter: @mrgcastle Github: @destijl Google North America 2018
  • 2. A production security story Introduction Bug report Detection TakeawaysExchange Attack & defense
  • 4. Who is shopify.com? 2017 data Shopify’s background 600K+ merchants 26B+ $processed 80K+ requests per second peak traffic
  • 5. Shopify cloud platform • Scalable • Application developers don’t need to learn k8 • Self-serve with guardrails & paved roads • Security*** by default
  • 6. Shopify’s bug bounty programs •   330+ hackers over 3+ years •   Merchants and buyers protected •   $1,000,000+ paid •   hackerone.com/shopify
  • 8. Security report and responses 7:39pm Report (goo.gl/dqynDa) from André Baptista (0xacb): vuln in Exchange app 7:50pm Incident declared 8:00pm Cloudsec and app dev teams contacted 8:43pm Merged commit to disable vulnerable feature 9:27pm Investigation and cleanup started (rotate credentials, contact Google, investigate logs) 1 hour
  • 10. Image of page Request screenshot Request storefront What is Exchange? Marketplace for buying & selling stores Webpage 3. Test store Test store frontpage 2. Screenshot service Headless browser 1. Exchange app Create listing Screenshots
  • 12. cluster control X kubeletkube-env Google service account token SSRF The attack Security researcher
  • 13. Server Side Request Forgery (SSRF)
  • 14. Attack: Weaponize SSRF Existing workflow Image of page Request screenshot Request storefront 2. Screenshot service Headless browser 1. Exchange app Create listing Screenshots Webpage 4. Metadata service 3. Test store Test store frontpage
  • 15. Webpage 4. Metadata service 1. Exchange app Create listing Screenshots Request screenshot Request storefront 3. Test store Exploit page 2. Screenshot service Headless browser Attack: Weaponize SSRF Got token for the VM’s Google service account
  • 16. Request token 4. Metadata server Default SA token v1 Attack: Weaponize SSRF Got token for the VM’s Google service account 1. Exchange app Create listing Screenshots Webpage Request storefront 3. Test store Exploit page 2. Screenshot service Headless browser Request screenshot
  • 17. Sidebar: What is this Google SA? Node (VM) Metadata server Service account Pod Token Token Google APIs
  • 19. 403: header required 4. Metadata server Default SA token v1 1. Exchange app Create listing Screenshots Defense: Require header Metadata server requires header: Metadata-Flavor: Google Webpage Request storefront 3. Test store Exploit page Request screenshot 2. Screenshot service Headless browser
  • 20. Token 4. Metadata server Default SA token v1 v1beta1 1. Exchange app Create listing Screenshots Attack: Use old API version Beta API: no request header required :( Webpage Request storefront 3. Test store Exploit page Request screenshot 2. Screenshot service Headless browser Image of token
  • 21. Defense: Disable old API versions • Beta API known issue: APIs still in use • Disabled by default in new 1.12+ clusters • Opt-in now: “disable-legacy-endpoints=true” • goo.gl/JsdJbL for details
  • 22. Defense: Least priv on token • Default SA least privilege from 1.10+ • May vary if users have granted extra privs • Shopify had minimal privs for log/mon/debug • Token not useful to researcher
  • 23. 5. Metadata server Default SA token v1 v1beta1 kube-env Request screenshot Request storefront Webpage 2. Screenshot service Headless browser kube-env 1. Exchange app Create listing Screenshots Attack: What other metadata? Metadata server = trust bootstrap for nodes Export static key from “kube-env” Image of kube-env 3. Test store Exploit page
  • 25. Attack: Kubelet bootstrap key Kube-env Security researcher machine CA.crt client.crt client.pem GKE K8s API Server kubectl
  • 26. Request screenshot Request storefront Defense: Metadata concealment Now: metadata concealment (Beta) goo.gl/u6rrMT Future: K8s TPM trust bootstrap Webpage 3. Test store Exploit page 2. Screenshot service Headless browser 403 Forbidden 4. Metadata proxy Whitelist/blacklist 1. Exchange app Create listing Screenshots 5. Metadata server Default SA token v1 v1beta1 kube-env
  • 27. Defense: Minimize kubelet privs • RBAC on (ABAC off): GKE default • Node Authorization on: GKE default • Audit role bindings: GKE “kubelet-cluster-admin” (not actually cluster admin) binding if upgraded cluster https://kubernetes.io/docs/tasks/administer-clus ter/securing-a-cluster/
  • 30. What’s in the logs? • K8s API audit logs: goo.gl/d8YebH • Content depends on audit policy • GKE: g.co/gke/auditlogging
  • 31. Filter logs for kubelet user
  • 32. Filter logs for kubelet user
  • 39. Shopify’s response 1 day • Disable vulnerable service. • Start rotating credentials. • Pay $ to researcher. 1 week • Analyze audit logs. • Clean up RBAC. 1 month • Prevent unwanted redirects. • Re-enable screenshot service. • Deploy metadata proxy. • Pay $$$ to researcher. • Disclose vulnerability.
  • 40. Lessons learned: K8s advice • Follow cloud provider hardening advice (GKE: g.co/gke/hardening) • Block off/filter access to any privileged network endpoints • Run RBAC and Node Authorization (GKE default) • Apply least privilege for K8s service accounts • Audit role bindings, especially upgraded clusters • Collect API logs and have them available to query (GKE default)
  • 41. Links and references Shopify bug bounty: hackerone.com/shopify Bug report details: goo.gl/dqynDa GKE disable old APIs: goo.gl/JsdJbL GKE metadata conceal: goo.gl/u6rrMT K8s API audit logs: goo.gl/d8YebH GKE logging: g.co/gke/auditlogging Shane Lawrence Security Infrastructure Engineer Twitter: @shaneplawrence Github: @shane-lawrence Shopify Greg Castle GKE Security Tech Lead Twitter: @mrgcastle Github: @destijl Google
  • 44. Example log queries • Broad strokes to get you started • No standard language for queries like this • SQL seems most standard • But includes some BigQuery-isms for unpacking repeated fields • Validation/tweaking on production clusters needed • Mostly intended to point out interesting values and fields
  • 45. RBAC Changes (excl system) SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.methodName LIKE " io.k8s.authorization.rbac.v1%" AND NOT protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:%" LIMIT 100 Similarly, use these methodName strings for specific changes to roles or bindings: “io.k8s.authorization.rbac.v1.roles.%” “io.k8s.authorization.rbac.v1.rolebindings.%” “io.k8s.authorization.rbac.v1.clusterroles.%” “io.k8s.authorization.rbac.v1.clusterrolebindings.%”
  • 46. Creating CSRs via K8s API SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protoPayload_auditlog.resourceName LIKE "certificates.k8s.io/v1beta1/certificatesigningrequests%" LIMIT 100
  • 47. Unauth’d web requests SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail = " system:anonymous" LIMIT 100
  • 48. Kubelet bootstrap identity calls (GKE specific) SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " kubelet" LIMIT 100
  • 49. Node authenticated requests SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:node%" LIMIT 100
  • 50. Calls outside IP range SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE NOT protopayload_auditlog.requestMetadata. callerIp="127.0.0.1" AND NOT protopayload_auditlog.requestMetadata. callerIp="::1" AND protopayload_auditlog.requestMetadata. callerIp NOT LIKE "8.8%" LIMIT 100