Hacking Microservices For Fun and Bounty

Microservices are catching a lot of heat these days, they are on the verge of going mainstream, as according to a recent survey from Nginx, 36 percent of enterprises surveyed are currently using microservices, with another 26 percent in the research phase. But what exactly is a microservices architecture.

From a Perspective of a Penetration Tester or a Bug Bounty Hunter, it's very important to first know the core working of technology before actually testing to break it. So today let's dive into Microservices.

Microservices is an architectural style that structures an application as a collection of small autonomous services, modeled around a business domain. It helps different services to run independently in their pod and to efficiently transfer data between each other without relying much on each other.

How Microservices are different from Monolith and Rest APIs?

The base difference Between Traditional Architecture(Monoliths and RESTful APIs) and Microservices arises from their way of sharing resources and services within the Application All the services are separated based on their domains and functionalities and are further allotted to individual microservices. Each service in the Microservice Architecture is self-contained and implements a single business capability like User Authentication, Searching, and So on.

These microservices have their own load balancer and execution environment to execute their functionalities & at the same time captures data in their own databases. All the internal points are connected from the API Gateway. So, anybody who connects to the API Gateway automatically gets connected to the complete system

Microservices are leveraging complexity in code by adding complexity in interaction and More Complexity leads to More bugs. According to many studies, Microservices are considered to be four times more vulnerable than traditional monolithic applications. Due to its distributed structure, each service API and network layer expose susceptible entry points to potential attack vectors.

Usually, service calls are secured by implementing an API gateway, which acts as the single entry point to receive a call and then route traffic onto different services. This approach of having a single entry point through authentication has its own merits and demerits. Sometimes an attacker only needs to bypass the BFF/API Gateway to control the whole Architecture. This is the worst nightmare for any company

Theoretically, an API gateway limits the attack surface; however, it also turns out to be a single point of failure for potential attack vectors. Mostly the Authentication part is controlled by the gateway making it more Dangerous if bypassed. Recent research also suggests that most traditional attack vectors target an application through API calls.