An Attacker Looks at Docker: Approaching Multi-Container Applications

Conference:  Defcon 26



The presentation discusses the relationship between attacker skill set, developer skill set, and the use of new technologies like containerization. It emphasizes the importance of leveraging existing skills and keeping up to date with new technologies to effectively test and secure multi-container applications.
  • Developers are using containerization to efficiently engage with multiple people and build applications out of Lego-like containers.
  • The use of containers opens up more vulnerabilities than vulnerabilities in the platform itself.
  • Existing offense-oriented skills are becoming useful at a lower level relative to new multi-container applications.
  • It is important to keep up to date with new technologies and their attack surfaces.
  • Containerization represents an opportunity for attackers to leverage existing system and network-level knowledge.
  • The white paper associated with the talk provides more detailed information and resources on the subject.
The speaker shares that their team had to come up to speed with containerization and develop tools for large-scale engagements efficiently. In the process, they learned a lot about how attackers look at these things. The speaker emphasizes the importance of keeping oneself up to date with new technologies, as it is better to thoroughly test an application before an engagement than to use a client's time to learn the material.


Containerization, such as that provided by Docker, is becoming very popular among developers of large-scale applications. The good news: this is likely to make your life easier as an attacker. While exploitation and manipulation of traditional monolithic applications might require specialized experience and training in the target languages and execution environment, applications made up of services distributed among multiple containers can be effectively explored and exploited "from within" using many of the system- and network-level techniques that attackers, such as penetration testers, already know. The goal of this talk is to provide a hacker experienced in exploitation and post-exploitation of networks and systems with an exposure to containerization and the implications it has on offensive operations. Docker is used as a concrete example for the case study. A hacker can expect to leave this presentation with a practical exposure to multi-container application post-exploitation.