Security testing for microservices is particularly hard, as they are highly interconnected. In this article, I will show you how to find a remote code execution vulnerability in an unreleased version of the German Covid-19 tracing app ( CWA ), using feedback-based fuzz testing. In 5 steps, I will guide you through the whole process and show you how you can effortlessly build fuzz tests for JVM-based web applications.
In my last blog article, I described why it is so important to improve the reliability and security of web services, now I will show you how to do it.
Example web application: Covid 19 - Contact Tracing App (please note that the expression language injection vulnerabilities were originally found by Alvaro Munoz)
In order to provide secure and reliable web services, it is first of all necessary to get familiar with the backend structure, and the architecture of the application. It is important to zoom out and get a rough overview in order to recognize the first interfaces where automated fuzz testing will most likely uncover the most critical vulnerabilities.
I would like to demonstrate this using an example: This scheme illustrates the architecture of the German Covid-19 contact tracing app backend. In Germany, this app is used by large parts of the population to retrace Covid-19 infections and notify people about potential risks. The app also tracks Covid-19 test results and sends them to the user.