Container Escape in Aspnet with Basic Auth
Container Escape in Aspnet with Basic Auth — how this specific combination creates or exposes the vulnerability
A container escape in an ASP.NET application using HTTP Basic Authentication occurs when an attacker who has obtained or manipulated Basic Auth credentials leverages a vulnerable ASP.NET runtime or host configuration to break out of the container boundary. In this scenario, Basic Auth provides only transport-level identification; it does not reduce the privilege surface of the process running inside the container. If the ASP.NET application runs as root or with broad capabilities, and the container shares the host’s PID namespace or has a mounted sensitive host path, a compromised credential can be used to reach an endpoint that executes host-level operations.
For example, an attacker may use valid Basic Auth credentials to access an endpoint that calls Process.Start or uses a server-side template that resolves to a host file such as /proc/self/root/. Because the container’s isolation relies on the runtime’s namespace and cgroup boundaries, any code execution that maps to these host paths can lead to a container escape. Insecure capabilities such as CAP_SYS_ADMIN or a writable /proc can turn a simple authenticated request into a host compromise. The attacker’s foothold comes from valid credentials, but the impact is amplified by container misconfigurations that expose host resources.
When scanning with middleBrick, the LLM/AI Security checks can detect whether the endpoint exposes dangerous patterns such as unchecked input used in process or file operations, while the Property Authorization and BOLA/IDOR checks verify whether authenticated users can access or manipulate resources beyond their scope. These findings help identify endpoints that, although protected by Basic Auth, remain capable of triggering dangerous host interactions when container controls are weak.
Basic Auth-Specific Remediation in Aspnet — concrete code fixes
Remediation focuses on removing reliance on Basic Auth for privilege enforcement, hardening the container runtime, and avoiding host-path interactions. Always prefer token-based or cookie-based authentication with secure transport. If Basic Auth must be used, treat it strictly as a transport identifier and enforce strict authorization checks and input validation on every endpoint.
- Run the container as a non-root user and drop unnecessary capabilities (e.g., remove
CAP_SYS_ADMIN). - Do not mount sensitive host paths such as
/proc,/sys, or the Docker socket inside the container. - Validate and sanitize all inputs before using them in file or process operations, and avoid dynamic resolution of paths that include user-controlled data.
Below are concrete ASP.NET code examples that demonstrate secure handling when Basic Auth is retained for identification only.
// Program.cs: Configure Kestrel and authentication without relying on Basic Auth for privilege escalation
var builder = WebApplication.CreateBuilder(args);
// Use a secure authentication scheme (e.g., JWT Bearer) instead of Basic Auth where possible
builder.Services.AddAuthentication("Basic")
.AddScheme("Basic", null);
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("RequireScopedRole", policy =>
policy.RequireRole("ApiUser").RequireClaim("scope", "api.read"));
});
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
// Minimal API with strict authorization and no host-path resolution
app.MapGet("/items/{id}", (Guid id, ClaimsPrincipal user) =>
{
if (!user.IsInRole("ApiUser")) return Results.Forbid();
// Use a fixed base path, never concatenate user input to paths
var basePath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "safe-data");
var filePath = Path.GetFullPath(Path.Join(basePath, id.ToString()));
if (!filePath.StartsWith(basePath, StringComparison.OrdinalIgnoreCase))
{
return Results.StatusCode(403);
}
// Safe read operation with no host escapes
return Results.Ok(File.ReadAllText(filePath));
}).RequireAuthorization("RequireScopedRole");
app.Run();
// BasicAuthHandler.cs: Minimal handler that only sets a generic identity; authorization is enforced separately
public class BasicAuthHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
public BasicAuthHandler(IOptionsMonitor<AuthenticationSchemeOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock) : base(options, logger, encoder, clock) { }
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
if (!Request.Headers.ContainsKey("Authorization")) return AuthenticateResult.NoResult();
var header = Request.Headers["Authorization"].ToString() ?? string.Empty;
if (!header.StartsWith("Basic ", StringComparison.OrdinalIgnoreCase)) return AuthenticateResult.NoResult();
var token = Encoding.UTF8.GetString(Convert.FromBase64String(header["Basic ".Length..]));
var parts = token.Split(':', 2);
if (parts.Length != 2) return AuthenticateResult.NoResult();
// Validate credentials against a secure store; do not elevate privileges based on this
if (IsValidUser(parts[0], parts[1]))
{
var claims = new[] { new Claim(ClaimTypes.Name, parts[0]), new Claim("scope", "api.read") };
var identity = new ClaimsIdentity(claims, Scheme.Name);
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, Scheme.Name);
return AuthenticateResult.Success(ticket);
}
return AuthenticateResult.Fail("Invalid credentials");
}
private static bool IsValidUser(string username, string password)
{
// Use a secure password verifier (e.g., bcrypt) and a restricted identity store
return username == "apiuser" && password == "S3cureP@ss!";
}
}
In this setup, Basic Auth only provides a low-assurance identifier; authorization is enforced via policies and role checks. The endpoint avoids path traversal by using a fixed base directory and validating that the resolved path remains within it. This reduces the impact of a credential compromise and prevents an authenticated request from triggering a container escape through host file or process access.