Table of Contents Categories
  Encyclosphere.org ENCYCLOREADER
  supported by EncyclosphereKSF

Broker injection

From HandWiki - Reading time: 1 min

}} Broker injection attack is a type of vulnerability that exploits misconfigured brokers, potentially allowing an attacker to read, write and inject information from/into their flow.

Description

There are many scenarios in which a broker is used to transport the information between tasks.

One of the most typical use cases is send e-mails in background. In this scenario we'll have two actors:

  • An information producer (a website, for example).
  • A worker or background process who actually sends the e-mail.

The producer needs an asynchronous and non-blocking way to send the email information to the worker.

This system is usually a broker. It takes the information from the web front-end and passes it to the worker, generating a new task in the worker. So, the worker has all the information to send the e-mail.

Taking the above scenario as an example, if we could access the broker, we would be able to make the worker generate new tasks with arbitrary data, unleashing a broker injection.

Attacks

With this in mind, we could make the following attacks:

  • Listing remote tasks.
  • Reading a remote task's contents.
  • Injection of tasks into remote processes.
  • Removing remote outstanding tasks.

Origin

The broker injection attack is not new, but it didn't have a name. This name was coined by Daniel GarcĂ­a (cr0hn) at the RootedCON 2016 conference in Spain .

See also

References


External links



Retrieved from "https://handwiki.org/wiki/index.php?title=Broker_injection&oldid=3373350"
Licensed under CC BY-SA 3.0 | Source: https://handwiki.org/wiki/Broker_injection
16 views | Status: cached on August 31 2024 10:18:53
↧ Download this article as ZWI file
Encyclosphere.org EncycloReader is supported by the EncyclosphereKSF