1

I am considering using URL rewrites in kubernetes nginx proxy to publish selected context paths in microservices which are run in a cluster running internal services. For example

https://public.mycompany.com/microserviceone/api/v4/resource1

would be rewritten and routed to

http://microserviceone/public/api/v4/resource1

inside the k8s cluster. Webservices are generally REST based accepting get requests and post with application/json payloads.

This is the hypothetical ingress configuration in this case:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: microserviceone-public-ingress
  namespace: default
  labels:
    app: microserviceone
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /public/
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  rules:
    - host: public.mycompany.com
      http:
        paths:
          - path: /microserviceone
            backend:
              serviceName: microserviceone-service
              servicePort: 80
  tls:
    - hosts:
        - public.mycompany.com
      secretName: microserviceone-cert

My question is this: Assuming that all resources within the /public/ URL context on a service are secure using appropriate methods such as certificates, API tokens or user authentication tokens, is there a known way for an attacker to circumvent the URL rewrite and request resources outside the /public/ context path?

Gudlaugur Egilsson
  • 111
  • 4
  • "Are there security considerations..." open-ended-type questions are generally closed as too broad here, because the answer is invariably: _"Yes, thousands, and we don't have enough information on your system to point out the most obvious ones."_ For this question, your request rewriter should work on an explicit-allow list, set to only those internal routes that you want to expose. – Ghedipunk Jul 08 '19 at 22:33
  • Point taken. Edited the question. Good point about the explicit allow list. Will look into that. – Gudlaugur Egilsson Jul 08 '19 at 22:45
  • 3
    Not sure about if Kubernetes rewrites has this issue or not, but you might also want to test directory traversal... I.e., `public.example.com/microservice/../private/foo` could be rewritten by your router to `internal.example.com/microservice/public/../private/foo` and interpreted by your back end as `microservice/private/foo`. – Ghedipunk Jul 08 '19 at 23:01
  • FYI: I got a review on this from a security services company, and to their knowledge there is no known exploit that circumvents the URL rewrite done by the kubernetes nginx ingress controller. – Gudlaugur Egilsson Jan 15 '20 at 14:51

1 Answers1

0

It is not possible to give a definite answer, because you are telling us how things should work, not the actual implementation. As a result, people can only make wild guesses. It would be very unethical for a professional to make any kind of statement about the security of the system in such a case. It would be akin to a doctor making a diagnosis, based on a phone call with a patient, who claimed that sometimes their joints hurt a bit.

The best way to get some more practical results is to conduct a professional penetration test. This may or may not be within your budget, but you can always contact a pentesting company near you and ask for an estimate. Depending on the size of your application and some other details, such a test could cost you several thousand dollars.

If this is out of your reach budget-wise, then an automated vulnerability scanner may be worth a try. Most well-developed vulnerability scanners come with a free trial, but be sure to adhere to the license requirements (especially in regards to commercial use, should that apply to you). Keep in mind that automated scanners will give automated results, so please don't equate "The scanner did not find anything" with "No vulnerabilities exist".

You might ask which pentesting companies or vulnerability scanners I would recommend, but such recommendations are off-topic.

  • Perhaps the ingress config code would help? I am aware of penetration testing companies and vulnerability scanners, we have a good relationship with one such company, which we would get to validate the implementation IF we go down this path. In my mind, getting an answer here is about not wasting time on implementing obviously flawed ideas, and wasting time vulnerability testing the same. – Gudlaugur Egilsson Jul 09 '19 at 11:32
  • I appreciate your input but I would also suggest that you post non-answers like this as a comment on the question rather than as an answer. – Gudlaugur Egilsson Jul 09 '19 at 11:46
  • 4
    This is as good as an answer as is possible. What you are basically asking for is a pen-and-paper pentest, where you explain your system to people and ask for feedback. Your question is simply put **too broad** and as such, only generic answers are possible. –  Jul 09 '19 at 12:05