SlideShare uma empresa Scribd logo

Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen

Greg Castle
Greg Castle

https://kccna18.sched.com/event/GrZf/shopifys-25k-bug-report-and-the-cluster-takeover-that-didnt-happen-greg-castle-google-shane-lawrence-shopify https://youtu.be/2XCm7vveU5A

Internet
1 de 50
Baixar para ler offline
Shopify’s $25K Bug Report and the cluster takeover that didn’t happen Shane Lawrence Security Infrastructure Engineer Twitter: @shaneplawrence Github: @shane-lawrence Shopify Greg Castle GKE Security Tech Lead Twitter: @mrgcastle Github: @destijl Google North America 2018
A production security story Introduction Bug report Detection TakeawaysExchange Attack & defense
Introduction
Who is shopify.com? 2017 data Shopify’s background 600K+ merchants 26B+ $processed 80K+ requests per second peak traffic
Shopify cloud platform • Scalable • Application developers don’t need to learn k8 • Self-serve with guardrails & paved roads • Security*** by default
Shopify’s bug bounty programs •   330+ hackers over 3+ years •   Merchants and buyers protected •   $1,000,000+ paid •   hackerone.com/shopify
Bug report
Security report and responses 7:39pm Report (goo.gl/dqynDa) from André Baptista (0xacb): vuln in Exchange app 7:50pm Incident declared 8:00pm Cloudsec and app dev teams contacted 8:43pm Merged commit to disable vulnerable feature 9:27pm Investigation and cleanup started (rotate credentials, contact Google, investigate logs) 1 hour
Exchange
Image of page Request screenshot Request storefront What is Exchange? Marketplace for buying & selling stores Webpage 3. Test store Test store frontpage 2. Screenshot service Headless browser 1. Exchange app Create listing Screenshots
Attack & defense
cluster control X kubeletkube-env Google service account token SSRF The attack Security researcher
Server Side Request Forgery (SSRF)
Attack: Weaponize SSRF Existing workflow Image of page Request screenshot Request storefront 2. Screenshot service Headless browser 1. Exchange app Create listing Screenshots Webpage 4. Metadata service 3. Test store Test store frontpage
Webpage 4. Metadata service 1. Exchange app Create listing Screenshots Request screenshot Request storefront 3. Test store Exploit page 2. Screenshot service Headless browser Attack: Weaponize SSRF Got token for the VM’s Google service account
Request token 4. Metadata server Default SA token v1 Attack: Weaponize SSRF Got token for the VM’s Google service account 1. Exchange app Create listing Screenshots Webpage Request storefront 3. Test store Exploit page 2. Screenshot service Headless browser Request screenshot
Sidebar: What is this Google SA? Node (VM) Metadata server Service account Pod Token Token Google APIs
Demo Token attack
403: header required 4. Metadata server Default SA token v1 1. Exchange app Create listing Screenshots Defense: Require header Metadata server requires header: Metadata-Flavor: Google Webpage Request storefront 3. Test store Exploit page Request screenshot 2. Screenshot service Headless browser
Token 4. Metadata server Default SA token v1 v1beta1 1. Exchange app Create listing Screenshots Attack: Use old API version Beta API: no request header required :( Webpage Request storefront 3. Test store Exploit page Request screenshot 2. Screenshot service Headless browser Image of token
Defense: Disable old API versions • Beta API known issue: APIs still in use • Disabled by default in new 1.12+ clusters • Opt-in now: “disable-legacy-endpoints=true” • goo.gl/JsdJbL for details
Defense: Least priv on token • Default SA least privilege from 1.10+ • May vary if users have granted extra privs • Shopify had minimal privs for log/mon/debug • Token not useful to researcher
5. Metadata server Default SA token v1 v1beta1 kube-env Request screenshot Request storefront Webpage 2. Screenshot service Headless browser kube-env 1. Exchange app Create listing Screenshots Attack: What other metadata? Metadata server = trust bootstrap for nodes Export static key from “kube-env” Image of kube-env 3. Test store Exploit page
Demo kube-env attack
Attack: Kubelet bootstrap key Kube-env Security researcher machine CA.crt client.crt client.pem GKE K8s API Server kubectl
Request screenshot Request storefront Defense: Metadata concealment Now: metadata concealment (Beta) goo.gl/u6rrMT Future: K8s TPM trust bootstrap Webpage 3. Test store Exploit page 2. Screenshot service Headless browser 403 Forbidden 4. Metadata proxy Whitelist/blacklist 1. Exchange app Create listing Screenshots 5. Metadata server Default SA token v1 v1beta1 kube-env
Defense: Minimize kubelet privs • RBAC on (ABAC off): GKE default • Node Authorization on: GKE default • Audit role bindings: GKE “kubelet-cluster-admin” (not actually cluster admin) binding if upgraded cluster https://kubernetes.io/docs/tasks/administer-clus ter/securing-a-cluster/
Demo Defenses
Detection
What’s in the logs? • K8s API audit logs: goo.gl/d8YebH • Content depends on audit policy • GKE: g.co/gke/auditlogging
Filter logs for kubelet user
Filter logs for kubelet user
Create deployment failed
Create deployment
Exec into exchange pod
Exec into exchange pod
Node CSR creation
Takeaways
Shopify’s response 1 day • Disable vulnerable service. • Start rotating credentials. • Pay $ to researcher. 1 week • Analyze audit logs. • Clean up RBAC. 1 month • Prevent unwanted redirects. • Re-enable screenshot service. • Deploy metadata proxy. • Pay $$$ to researcher. • Disclose vulnerability.
Lessons learned: K8s advice • Follow cloud provider hardening advice (GKE: g.co/gke/hardening) • Block off/filter access to any privileged network endpoints • Run RBAC and Node Authorization (GKE default) • Apply least privilege for K8s service accounts • Audit role bindings, especially upgraded clusters • Collect API logs and have them available to query (GKE default)
Links and references Shopify bug bounty: hackerone.com/shopify Bug report details: goo.gl/dqynDa GKE disable old APIs: goo.gl/JsdJbL GKE metadata conceal: goo.gl/u6rrMT K8s API audit logs: goo.gl/d8YebH GKE logging: g.co/gke/auditlogging Shane Lawrence Security Infrastructure Engineer Twitter: @shaneplawrence Github: @shane-lawrence Shopify Greg Castle GKE Security Tech Lead Twitter: @mrgcastle Github: @destijl Google
Thank you
Reference Log queries
Example log queries • Broad strokes to get you started • No standard language for queries like this • SQL seems most standard • But includes some BigQuery-isms for unpacking repeated fields • Validation/tweaking on production clusters needed • Mostly intended to point out interesting values and fields
RBAC Changes (excl system) SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.methodName LIKE " io.k8s.authorization.rbac.v1%" AND NOT protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:%" LIMIT 100 Similarly, use these methodName strings for specific changes to roles or bindings: “io.k8s.authorization.rbac.v1.roles.%” “io.k8s.authorization.rbac.v1.rolebindings.%” “io.k8s.authorization.rbac.v1.clusterroles.%” “io.k8s.authorization.rbac.v1.clusterrolebindings.%”
Creating CSRs via K8s API SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protoPayload_auditlog.resourceName LIKE "certificates.k8s.io/v1beta1/certificatesigningrequests%" LIMIT 100
Unauth’d web requests SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail = " system:anonymous" LIMIT 100
Kubelet bootstrap identity calls (GKE specific) SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " kubelet" LIMIT 100
Node authenticated requests SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:node%" LIMIT 100
Calls outside IP range SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE NOT protopayload_auditlog.requestMetadata. callerIp="127.0.0.1" AND NOT protopayload_auditlog.requestMetadata. callerIp="::1" AND protopayload_auditlog.requestMetadata. callerIp NOT LIKE "8.8%" LIMIT 100

Recomendados

Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decompositionKaty Anton
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedTorsten Lodderstedt
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Security Conference
 
Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Beau Bullock
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorTravelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorBeau Bullock
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 

Recomendados

Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decompositionKaty Anton
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedTorsten Lodderstedt
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Security Conference
 
Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Beau Bullock
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorTravelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorBeau Bullock
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azureMichele Leroux Bustamante
 
The Power of Social Login
The Power of Social LoginThe Power of Social Login
The Power of Social LoginMichele Leroux Bustamante
 
Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldPricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldMichele Leroux Bustamante
 
BHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTBHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTDouglas Bienstock
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentRoy Kim
 
Windows Azure Essentials V3
Windows Azure Essentials V3Windows Azure Essentials V3
Windows Azure Essentials V3Michele Leroux Bustamante
 
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris GoosenO365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris GoosenNCCOMMS
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Stormpath
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Instant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootInstant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootStormpath
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOPeter Selch Dahl
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Stormpath
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Douglas Bienstock
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Markus Schlichting
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Exploring Google APIs with Python
Exploring Google APIs with PythonExploring Google APIs with Python
Exploring Google APIs with Pythonwesley chun
 

Mais conteúdo relacionado

Mais procurados

Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldPricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldMichele Leroux Bustamante
 
BHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTBHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTDouglas Bienstock
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentRoy Kim
 
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris GoosenO365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris GoosenNCCOMMS
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Stormpath
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Instant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootInstant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootStormpath
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?42Crunch
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOPeter Selch Dahl
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Stormpath
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Douglas Bienstock
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Markus Schlichting
 

Mais procurados (20)

Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azure
 
The Power of Social Login
The Power of Social LoginThe Power of Social Login
The Power of Social Login
 
Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldPricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric World
 
BHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTBHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APT
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
 
Windows Azure Essentials V3
Windows Azure Essentials V3Windows Azure Essentials V3
Windows Azure Essentials V3
 
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS's
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris GoosenO365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Instant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootInstant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring Boot
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)
 

Semelhante a Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen

API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Exploring Google APIs with Python
Exploring Google APIs with PythonExploring Google APIs with Python
Exploring Google APIs with Pythonwesley chun
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...3camp
 
The journey of Moving from AWS ELK to GCP Data Pipeline
The journey of Moving from AWS ELK to GCP Data PipelineThe journey of Moving from AWS ELK to GCP Data Pipeline
The journey of Moving from AWS ELK to GCP Data PipelineRandy Huang
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APIDavid Keener
 
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...Jonathan Barton
 
App Engine Overview Cloud Futures Publish
App Engine Overview Cloud Futures PublishApp Engine Overview Cloud Futures Publish
App Engine Overview Cloud Futures PublishChris Schalk
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
 
Gimel at Dataworks Summit San Jose 2018
Gimel at Dataworks Summit San Jose 2018Gimel at Dataworks Summit San Jose 2018
Gimel at Dataworks Summit San Jose 2018Romit Mehta
 
Dataworks | 2018-06-20 | Gimel data platform
Dataworks | 2018-06-20 | Gimel data platformDataworks | 2018-06-20 | Gimel data platform
Dataworks | 2018-06-20 | Gimel data platformDeepak Chandramouli
 
Introduction to Google's Cloud Technologies
Introduction to Google's Cloud TechnologiesIntroduction to Google's Cloud Technologies
Introduction to Google's Cloud TechnologiesChris Schalk
 
Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?Greg Castle
 
The Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingThe Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingBitbar
 
What's new in App Engine and intro to App Engine for Business
What's new in App Engine and intro to App Engine for BusinessWhat's new in App Engine and intro to App Engine for Business
What's new in App Engine and intro to App Engine for BusinessChris Schalk
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudRevelation Technologies
 
04/2010 - Google App Engine
04/2010 - Google App Engine04/2010 - Google App Engine
04/2010 - Google App Enginedaveayan
 
Introduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform TechnologiesIntroduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform TechnologiesChris Schalk
 
Javaedge 2010-cschalk
Javaedge 2010-cschalkJavaedge 2010-cschalk
Javaedge 2010-cschalkChris Schalk
 

Semelhante a Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen (20)

API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Exploring Google APIs with Python
Exploring Google APIs with PythonExploring Google APIs with Python
Exploring Google APIs with Python
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
Google App Engine – niekonwencjonalna platforma aplikacji SaaS do Twojego nas...
 
The journey of Moving from AWS ELK to GCP Data Pipeline
The journey of Moving from AWS ELK to GCP Data PipelineThe journey of Moving from AWS ELK to GCP Data Pipeline
The journey of Moving from AWS ELK to GCP Data Pipeline
 
Creating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services APICreating a World-Class RESTful Web Services API
Creating a World-Class RESTful Web Services API
 
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...
 
App Engine Overview Cloud Futures Publish
App Engine Overview Cloud Futures PublishApp Engine Overview Cloud Futures Publish
App Engine Overview Cloud Futures Publish
 
Scale By The Bay | 2020 | Gimel
Scale By The Bay | 2020 | GimelScale By The Bay | 2020 | Gimel
Scale By The Bay | 2020 | Gimel
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
 
Gimel at Dataworks Summit San Jose 2018
Gimel at Dataworks Summit San Jose 2018Gimel at Dataworks Summit San Jose 2018
Gimel at Dataworks Summit San Jose 2018
 
Dataworks | 2018-06-20 | Gimel data platform
Dataworks | 2018-06-20 | Gimel data platformDataworks | 2018-06-20 | Gimel data platform
Dataworks | 2018-06-20 | Gimel data platform
 
Introduction to Google's Cloud Technologies
Introduction to Google's Cloud TechnologiesIntroduction to Google's Cloud Technologies
Introduction to Google's Cloud Technologies
 
Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?
 
The Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingThe Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and Testing
 
What's new in App Engine and intro to App Engine for Business
What's new in App Engine and intro to App Engine for BusinessWhat's new in App Engine and intro to App Engine for Business
What's new in App Engine and intro to App Engine for Business
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
 
04/2010 - Google App Engine
04/2010 - Google App Engine04/2010 - Google App Engine
04/2010 - Google App Engine
 
Introduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform TechnologiesIntroduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform Technologies
 
Javaedge 2010-cschalk
Javaedge 2010-cschalkJavaedge 2010-cschalk
Javaedge 2010-cschalk
 

Último

Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋nirzagarg
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...SUHANI PANDEY
 
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋nirzagarg
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...tanu pandey
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...SUHANI PANDEY
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubaikojalkojal131
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...nilamkumrai
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 

Último (20)

Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
 
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 

Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen

  • 1. Shopify’s $25K Bug Report and the cluster takeover that didn’t happen Shane Lawrence Security Infrastructure Engineer Twitter: @shaneplawrence Github: @shane-lawrence Shopify Greg Castle GKE Security Tech Lead Twitter: @mrgcastle Github: @destijl Google North America 2018
  • 2. A production security story Introduction Bug report Detection TakeawaysExchange Attack & defense
  • 4. Who is shopify.com? 2017 data Shopify’s background 600K+ merchants 26B+ $processed 80K+ requests per second peak traffic
  • 5. Shopify cloud platform • Scalable • Application developers don’t need to learn k8 • Self-serve with guardrails & paved roads • Security*** by default
  • 6. Shopify’s bug bounty programs •   330+ hackers over 3+ years •   Merchants and buyers protected •   $1,000,000+ paid •   hackerone.com/shopify
  • 8. Security report and responses 7:39pm Report (goo.gl/dqynDa) from André Baptista (0xacb): vuln in Exchange app 7:50pm Incident declared 8:00pm Cloudsec and app dev teams contacted 8:43pm Merged commit to disable vulnerable feature 9:27pm Investigation and cleanup started (rotate credentials, contact Google, investigate logs) 1 hour
  • 10. Image of page Request screenshot Request storefront What is Exchange? Marketplace for buying & selling stores Webpage 3. Test store Test store frontpage 2. Screenshot service Headless browser 1. Exchange app Create listing Screenshots
  • 12. cluster control X kubeletkube-env Google service account token SSRF The attack Security researcher
  • 13. Server Side Request Forgery (SSRF)
  • 14. Attack: Weaponize SSRF Existing workflow Image of page Request screenshot Request storefront 2. Screenshot service Headless browser 1. Exchange app Create listing Screenshots Webpage 4. Metadata service 3. Test store Test store frontpage
  • 15. Webpage 4. Metadata service 1. Exchange app Create listing Screenshots Request screenshot Request storefront 3. Test store Exploit page 2. Screenshot service Headless browser Attack: Weaponize SSRF Got token for the VM’s Google service account
  • 16. Request token 4. Metadata server Default SA token v1 Attack: Weaponize SSRF Got token for the VM’s Google service account 1. Exchange app Create listing Screenshots Webpage Request storefront 3. Test store Exploit page 2. Screenshot service Headless browser Request screenshot
  • 17. Sidebar: What is this Google SA? Node (VM) Metadata server Service account Pod Token Token Google APIs
  • 19. 403: header required 4. Metadata server Default SA token v1 1. Exchange app Create listing Screenshots Defense: Require header Metadata server requires header: Metadata-Flavor: Google Webpage Request storefront 3. Test store Exploit page Request screenshot 2. Screenshot service Headless browser
  • 20. Token 4. Metadata server Default SA token v1 v1beta1 1. Exchange app Create listing Screenshots Attack: Use old API version Beta API: no request header required :( Webpage Request storefront 3. Test store Exploit page Request screenshot 2. Screenshot service Headless browser Image of token
  • 21. Defense: Disable old API versions • Beta API known issue: APIs still in use • Disabled by default in new 1.12+ clusters • Opt-in now: “disable-legacy-endpoints=true” • goo.gl/JsdJbL for details
  • 22. Defense: Least priv on token • Default SA least privilege from 1.10+ • May vary if users have granted extra privs • Shopify had minimal privs for log/mon/debug • Token not useful to researcher
  • 23. 5. Metadata server Default SA token v1 v1beta1 kube-env Request screenshot Request storefront Webpage 2. Screenshot service Headless browser kube-env 1. Exchange app Create listing Screenshots Attack: What other metadata? Metadata server = trust bootstrap for nodes Export static key from “kube-env” Image of kube-env 3. Test store Exploit page
  • 25. Attack: Kubelet bootstrap key Kube-env Security researcher machine CA.crt client.crt client.pem GKE K8s API Server kubectl
  • 26. Request screenshot Request storefront Defense: Metadata concealment Now: metadata concealment (Beta) goo.gl/u6rrMT Future: K8s TPM trust bootstrap Webpage 3. Test store Exploit page 2. Screenshot service Headless browser 403 Forbidden 4. Metadata proxy Whitelist/blacklist 1. Exchange app Create listing Screenshots 5. Metadata server Default SA token v1 v1beta1 kube-env
  • 27. Defense: Minimize kubelet privs • RBAC on (ABAC off): GKE default • Node Authorization on: GKE default • Audit role bindings: GKE “kubelet-cluster-admin” (not actually cluster admin) binding if upgraded cluster https://kubernetes.io/docs/tasks/administer-clus ter/securing-a-cluster/
  • 30. What’s in the logs? • K8s API audit logs: goo.gl/d8YebH • Content depends on audit policy • GKE: g.co/gke/auditlogging
  • 31. Filter logs for kubelet user
  • 32. Filter logs for kubelet user
  • 39. Shopify’s response 1 day • Disable vulnerable service. • Start rotating credentials. • Pay $ to researcher. 1 week • Analyze audit logs. • Clean up RBAC. 1 month • Prevent unwanted redirects. • Re-enable screenshot service. • Deploy metadata proxy. • Pay $$$ to researcher. • Disclose vulnerability.
  • 40. Lessons learned: K8s advice • Follow cloud provider hardening advice (GKE: g.co/gke/hardening) • Block off/filter access to any privileged network endpoints • Run RBAC and Node Authorization (GKE default) • Apply least privilege for K8s service accounts • Audit role bindings, especially upgraded clusters • Collect API logs and have them available to query (GKE default)
  • 41. Links and references Shopify bug bounty: hackerone.com/shopify Bug report details: goo.gl/dqynDa GKE disable old APIs: goo.gl/JsdJbL GKE metadata conceal: goo.gl/u6rrMT K8s API audit logs: goo.gl/d8YebH GKE logging: g.co/gke/auditlogging Shane Lawrence Security Infrastructure Engineer Twitter: @shaneplawrence Github: @shane-lawrence Shopify Greg Castle GKE Security Tech Lead Twitter: @mrgcastle Github: @destijl Google
  • 44. Example log queries • Broad strokes to get you started • No standard language for queries like this • SQL seems most standard • But includes some BigQuery-isms for unpacking repeated fields • Validation/tweaking on production clusters needed • Mostly intended to point out interesting values and fields
  • 45. RBAC Changes (excl system) SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.methodName LIKE " io.k8s.authorization.rbac.v1%" AND NOT protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:%" LIMIT 100 Similarly, use these methodName strings for specific changes to roles or bindings: “io.k8s.authorization.rbac.v1.roles.%” “io.k8s.authorization.rbac.v1.rolebindings.%” “io.k8s.authorization.rbac.v1.clusterroles.%” “io.k8s.authorization.rbac.v1.clusterrolebindings.%”
  • 46. Creating CSRs via K8s API SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protoPayload_auditlog.resourceName LIKE "certificates.k8s.io/v1beta1/certificatesigningrequests%" LIMIT 100
  • 47. Unauth’d web requests SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail = " system:anonymous" LIMIT 100
  • 48. Kubelet bootstrap identity calls (GKE specific) SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " kubelet" LIMIT 100
  • 49. Node authenticated requests SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:node%" LIMIT 100
  • 50. Calls outside IP range SELECT timestamp, protopayload_auditlog.methodName AS method, protopayload_auditlog.resourceName AS resource, protopayload_auditlog.authenticationInfo.principalEmail AS suid, authzinfo.granted AS granted, protopayload_auditlog.requestMetadata.callerIp AS saddr FROM `gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`, UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo WHERE NOT protopayload_auditlog.requestMetadata. callerIp="127.0.0.1" AND NOT protopayload_auditlog.requestMetadata. callerIp="::1" AND protopayload_auditlog.requestMetadata. callerIp NOT LIKE "8.8%" LIMIT 100