An Attacker Looks at Docker: Approaching Multi-Container Applications

Conference:  BlackHat USA 2018



The presentation discusses the importance of understanding containerization and its impact on application security testing and penetration testing. The speaker emphasizes the need for cybersecurity professionals to develop their skill sets and keep up with new technologies to stay ahead of attackers.
  • Containerization is becoming more important in application security testing and penetration testing
  • Developers' use of containerization opens them up to more vulnerabilities than vulnerabilities in the platform itself
  • Understanding containerization allows for post-exploitation manipulation and instrumentation
  • Exploitation of containerized apps begins with a vulnerability in the surface level of the attack surface
  • Cybersecurity professionals need to keep up with new technologies to stay ahead of attackers
The speaker gives an example of an intelligence collection platform that uses containerization to store data temporarily or buffer it. This democratizes post-exploitation manipulation and instrumentation, allowing attackers to connect to Redis and start dumping a list of queries that are made to it, or start poking at the data reading it and writing it, without interrupting the processing of the program.


Containerization, such as that provided by Docker, is becoming very popular among developers of large-scale applications. This is likely to make life a lot easier for attackers.While exploitation and manipulation of traditional monolithic applications might require specialized experience and training in the target languages and execution environment, applications made up of services distributed among multiple containers can be effectively explored and exploited "from within" using many of the system- and network-level techniques that attackers, such as penetration testers, already know.The goal of this talk is to provide a penetration tester experienced in exploitation and post-exploitation of networks and systems with an exposure to containerization and the implications it has on offensive operations. Docker is used as a concrete example for the case study. A penetration tester can expect to leave this presentation with a practical exposure to multi-container application post-exploitation that is as buzzword-free as is possible with such a trendy topic.



Post a comment

Related work

Conference:  RSA Conference 2023
Authors: Sean Atkinson, Chris Elgee

Authors: Jared Burck, Valentina Rodriguez Sosa, James Bench, Christopher Nuland

Authors: Kim Carter