Container Escape with Basic Auth
How Container Escape Manifests in Basic Auth
Container escape through Basic Auth vulnerabilities typically occurs when authentication mechanisms are improperly implemented within containerized environments. The most common attack vector involves credential exposure through environment variables or configuration files that are accessible within the container's filesystem.
Consider a Node.js application using Basic Auth middleware:
const http = require('http');
const auth = require('basic-auth');
const server = http.createServer((req, res) => {
const credentials = auth(req);
if (!credentials || credentials.name !== process.env.API_USER ||
credentials.pass !== process.env.API_PASS) {
res.statusCode = 401;
res.setHeader('WWW-Authenticate', 'Basic realm="api"');
res.end('Unauthorized');
return;
}
res.end('Authenticated');
});The critical vulnerability here is that credentials stored in environment variables can be exposed through various container escape techniques. An attacker who gains access to the container can use cat /proc/1/environ or inspect the container's runtime environment to retrieve these credentials.
Another manifestation occurs when Basic Auth credentials are hardcoded or stored in configuration files that mount into the container. Docker volumes or Kubernetes ConfigMaps can inadvertently expose these credentials to other containers or processes running on the same host.
Command injection through Basic Auth endpoints provides another escape vector. If an application processes authentication credentials and passes them to system commands without proper sanitization, an attacker can craft credentials containing shell metacharacters:
// Vulnerable code
const { exec } = require('child_process');
function authenticate(username, password) {
// Command injection vulnerability
exec(`validate_user.sh ${username} ${password}`, (err, stdout) => {
if (stdout.includes('valid')) {
return true;
}
});
return false;
}An attacker could use credentials like test' && cat /etc/shadow && echo ' to execute arbitrary commands and potentially escape the container's filesystem restrictions.
Time-of-check-to-time-of-use (TOCTOU) race conditions in Basic Auth implementations can also lead to container escape. If authentication checks occur before resource access but the resource path can be manipulated between checks, an attacker might access files outside the intended directory:
const fs = require('fs');
function handleRequest(req, res) {
const credentials = auth(req);
// Race condition: path manipulation between auth and access
const filePath = sanitizePath(req.url);
if (authenticate(credentials.name, credentials.pass)) {
// TOCTOU: file path could be changed after auth check
fs.readFile(filePath, 'utf8', (err, data) => {
res.end(data);
});
}
}These vulnerabilities are particularly dangerous in multi-tenant container environments where one compromised container might access data from other containers or the host system.
Basic Auth-Specific Detection
Detecting container escape vulnerabilities in Basic Auth implementations requires both static analysis and runtime scanning. The key is identifying where credentials are stored, how they're processed, and what external commands or file operations are performed.
Static analysis should focus on credential storage patterns. Look for:
- Environment variable usage for credentials (
process.env.API_USER,process.env.API_PASS) - Hardcoded credentials in source code
- Configuration files containing usernames and passwords
- Base64-encoded credentials that might be reversible
Runtime scanning with middleBrick can identify these vulnerabilities by testing the unauthenticated attack surface. The scanner examines how Basic Auth endpoints handle malformed credentials, timing variations, and concurrent requests that might expose race conditions.
For Basic Auth specifically, middleBrick tests for:
| Test Type | Detection Method | Risk Level |
|---|---|---|
| Credential Exposure | Attempts to access environment variables and configuration files | High |
| Command Injection | Crafts credentials with shell metacharacters | Critical |
| TOCTOU Race Conditions | Rapid authentication and access attempts | High |
| Path Traversal | Tests for directory traversal in authenticated endpoints | Medium |
The scanner also examines HTTP response headers for information disclosure. Basic Auth implementations often reveal too much information through error messages or timing differences that indicate whether a username exists versus whether the password is incorrect.
Network-level detection includes monitoring for unusual outbound connections from containers after authentication. If a Basic Auth endpoint processes credentials and then initiates network connections to unexpected destinations, this could indicate a container escape attempt.
Using the middleBrick CLI for Basic Auth scanning:
npx middlebrick scan https://api.example.com/auth --basic-auth --verboseThis command tests the Basic Auth endpoint for the specific vulnerabilities mentioned above, providing a security score and detailed findings about container escape risks.
Automated scanning in CI/CD pipelines ensures Basic Auth implementations are tested before deployment. The middleBrick GitHub Action can fail builds if container escape vulnerabilities are detected:
name: Security Scan
on: [push]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run middleBrick Scan
uses: middlebrick/middlebrick-action@v1
with:
target-url: 'https://api.example.com/auth'
fail-on-severity: high
token: ${{ secrets.MIDDLEBRICK_TOKEN }}This integration ensures that Basic Auth implementations are continuously tested for container escape vulnerabilities as code changes are made.
Basic Auth-Specific Remediation
Remediating container escape vulnerabilities in Basic Auth implementations requires a defense-in-depth approach that addresses credential storage, input validation, and process isolation.
First, eliminate credential exposure through environment variables. Use secret management systems instead:
const { SecretManagerServiceClient } = require('@google-cloud/secret-manager');
const client = new SecretManagerServiceClient();
async function getCredentials() {
const [userResponse] = await client.accessSecretVersion({
name: 'projects/PROJECT_ID/secrets/API_USER/versions/latest'
});
name: 'projects/PROJECT_ID/secrets/API_PASS/versions/latest'
});
return {
user: userResponse.payload.data.toString(),
pass: passResponse.payload.data.toString()
};
}This approach ensures credentials are never stored in plaintext within the container's environment.
Implement proper input validation and sanitization for Basic Auth credentials:
const { validate } = require('class-validator');
class Credentials {
@IsString()
@Length(1, 255)
username: string;
@IsString()
@Length(1, 255)
password: string;
}
function authenticate(req, res) {
const credentials = auth(req);
if (!credentials) {
return unauthorized(res);
}
const authCredentials = new Credentials();
authCredentials.username = credentials.name;
authCredentials.password = credentials.pass;
const errors = await validate(authCredentials);
if (errors.length > 0) {
return unauthorized(res);
}
// Safe authentication logic
if (authCredentials.username === storedCredentials.user &&
authCredentials.password === storedCredentials.pass) {
return authorized(res);
}
return unauthorized(res);
}This validation prevents command injection and ensures credentials meet expected formats before processing.
Address TOCTOU vulnerabilities by using atomic operations:
const fs = require('fs').promises;
async function safeFileAccess(credentials, filePath) {
// Authenticate and authorize in a single atomic operation
const isValid = await authenticate(credentials);
if (!isValid) {
return unauthorized();
}
try {
// Use realpath to resolve and verify the final path
const resolvedPath = await fs.realpath(filePath);
if (!resolvedPath.startsWith('/safe/base/path')) {
return forbidden();
}
const data = await fs.readFile(resolvedPath, 'utf8');
return data;
} catch (err) {
return notFound();
}
}This pattern ensures the file path is validated after authentication and before access, preventing directory traversal attacks.
Implement proper container isolation using security contexts:
# Docker security configuration
securityContext:
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop: ['ALL']
readOnlyRootFilesystem: true
allowPrivilegeEscalation: falseThese settings prevent the container from accessing sensitive host resources even if authentication is bypassed.
For Kubernetes deployments, use NetworkPolicies to restrict container communication:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: basic-auth-policy
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 80
egress:
- to: []
ports:
- protocol: TCP
port: 80This network isolation prevents containers from accessing unauthorized services even if they escape authentication.
Finally, implement comprehensive logging and monitoring to detect container escape attempts:
const winston = require('winston');
const logger = winston.createLogger({
transports: [new winston.transports.Console()],
format: winston.format.combine(
winston.format.timestamp(),
winston.format.json()
)
});
function monitorAuthentication(req, res, next) {
const start = Date.now();
res.on('finish', () => {
const duration = Date.now() - start;
logger.info('Auth attempt', {
ip,
method: req.method,
url: req.url,
statusCode: res.statusCode,
duration
});
});
next();
}These monitoring capabilities help detect unusual authentication patterns that might indicate container escape attempts.