检测微服务结构 Web 应用程序中的 Taint 式漏洞.pdf

1、#BHUSA BlackHatEventsDetecting Taint-Style Vulnerabilities in Detecting Taint-Style Vulnerabilities in Microservice-Structured Web ApplicationsMicroservice-Structured Web ApplicationsSpeaker:Fengyu Liu(LFY)Contributors:#BHUSA BlackHatEventsAgenda Warm-up&Industry Context The Attack Surfaces in Micro

2、services Real Case Study How MScan Works Evaluation Conclusion&Takeaways#BHUSA BlackHatEventsModern Apps:From Monolith to Microservices#BHUSA BlackHatEventsModern Apps:From Monolith to Microservices Microservices dominate cloud-native architecture Decentralized,scalable,dynamic but complex One user

3、request may pass through 10+services#BHUSA BlackHatEventsMicroservices:Gateway Central entry that routes user requests to internal services based on routing rules For example,it forwards requests to Portal but blocks access direct to User#BHUSA BlackHatEventsMicroservices:Inter-service Communication

4、 Lightweight network communication mechanism(e.g.,REST,gRPC)that connect services and pass data#BHUSA BlackHatEventsAgenda Warm-up&Industry Context The Attack Surfaces in Microservices Real Case Study How MScan Works Evaluation Conclusion&Takeaways#BHUSA BlackHatEventsTaint-style Vulnerabilities in

5、Microservice App Intra-service Vulnerability happens within a single microservice#BHUSA BlackHatEventsTaint-style Vulnerabilities in Microservice App Inter-service Vulnerability involves Inter-service communication#BHUSA BlackHatEventsAgenda Warm-up&Industry Context The Attack Surfaces in Microservi

6、ces Real Case Study How MScan Works Evaluation Conclusion&Takeaways#BHUSA BlackHatEventsReal Case:Spring Cloud Dataflow A cloud dataflow platform under Spring Projects#BHUSA BlackHatEventsReal Case:Spring Cloud Dataflow Entry:Stream Rest Service Edge:RestTemplate Service:Package Rest Service Sink:Fi