1 of 100

Security Testing Tool for �Backend for Frontend (BFF) Microservices

BY

MS. CHANSIDA MAKARANOND 6188010

MR. PATTARAKRIT RATTANUKUL 6188018

MR. PUMIPAT WATANAKULCHARUS 6188026

ADVISORS

DR. CHAIYONG RAGKHITWETSAGUL, ASSOC. PROF. DR. VASAKA VISOOTTIVISETH, ICT, MAHIDOL UNIVERSITY

TANAPOL NEARUNCHORN, CHANON KHAMRONYUTHA, LINEMAN WONGNAI

2 of 100

Microservice Architecture

Microservices are small autonomous services that function together with lightweight coding mechanisms. Microservice utilizing technologies to separate the application processes to establish an autonomous small service group operating in its own processes.

Advantages

Build software more quickly

Leverage new technologies

Scalability

Ease of deployment

Autonomous functionality

Microservice Web Application

2

X

3 of 100

Microservice Statistic

3

X

22.5%

Growth

Annually for the

next five years

https://content.salt.security/rs/352-UXR-417/images/SaltSecurity-Report-State_of_API_Security.pdf?aliId=eyJpIjoidXBEZ0lQY0ZrSnpUcUJsNSIsInQiOiJjQmwwaFFWS3g5bjg5U1dNcmpMUCtnPT0ifQ%253D%253D

4 of 100

What is BFF ?

BFF (Backend For Frontend) is a pattern of microservice that connects with all other internal services.

  • Data is fetched more efficiently between frontend and backend
    • Several BFF instances can be created to support different client platforms
  • BFF acts as a middleman between the clients and backend microservices
    • BFF can filter data that are sent back to the clients

4

https://tsh.io/blog/design-patterns-in-microservices-api-gateway-bff-and-more/

X

5 of 100

BFF Example

5

https://blogs.thebitx.com/index.php/2021/06/15/the-bff-pattern-backend-for-frontend-an-introduction-by-viduni-wickramarachchi/

X

6 of 100

BFF Errors Are Hard to Trace

6

X

5xx or 4xx with Response contain Error exception leakage

5xx or 4xx with Response contain Error exception

?

We do not know which service(s) cause the error.

?

https://blogs.thebitx.com/index.php/2021/06/15/the-bff-pattern-backend-for-frontend-an-introduction-by-viduni-wickramarachchi/

7 of 100

HTTP Response Status Codes

  • Informational responses (100–199)
  • Successful responses (200–299)
  • Redirection messages (300–399)
  • Client error responses (400–499)
  • Server error responses (500–599)

7

X

8 of 100

HTTP 500 Internal Server Error

Numerous 500 Internal Server Errors are just the result of an implementation which lacks of error handling.

(e.g. 500 Instead of 400)

Possible vulnerability from 500 Internal Server Errors

  • Resource leakage
  • Denial of service

8

X

9 of 100

Why Leakage from API Error is Problematic?

OWASP API Security Top 10 (API7:2019) - Security Misconfiguration

Example:

  • The unhandled error response from API may contained Excessive data such as Java Error Exception (Usually found in HTTP status code 4xx, 5xx)

  • Causing System Information Leak. Revealing system data or debugging information helps an adversary learn about the system and form an attack plan.

  • CWE-209: Generation of Error Message Containing Sensitive Information

9

X

REF: https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdfhttps://cwe.mitre.org/data/definitions/209.html

10 of 100

API Fuzzing

Fuzzing is a technique to feed a string of random characters into a program in the hope to uncover failures.

Fuzzing is good for test the sets operation of parameters that contained unexpected values and is appropriate for API testing. (Also recommend by CWE)

These fuzzed values cause unexpected behaviors and errors in the API backend.

Benefit

Helps to discover more bugs

Reduce the manual task for inputting the unexpected values

Effective at finding input validation issues for API

10

Reference: Chen et al., A systematic review of fuzzing techniques, Computers & Security, 2018

The Fuzzing Book Tools and Techniques for Generating Software Tests by Andreas Zeller, Rahul Gopinath, Marcel Böhme, Gordon Fraser, and Christian Holler

X

11 of 100

Problem Statements

  1. The existing tools for evaluating microservice systems for security misconfiguration identify just the errors, but cannot identify the source of the errors when one-to-many requests are created by BFF.

  • The results from API testing tools can be difficult to comprehend without a proper visualization display.

  • Lack of relevant training and education resources, in Thailand's computer courses on API security problems, are also few and fall behind the expanding trend of harmful user software assaults.

11

X

12 of 100

Project Objectives

To create an application that performs API security testing on BFF systems.

To creates visualizations to help the security testers understand the security issues easily.

To offers informative education related in the detection of API security issues.

12

Performs Testing

Creates

Visualization

Offers

Education

X

13 of 100

13

X

14 of 100

Our Solution

14

Free microservice and API security

online course

API security testing tool

With testing sandbox

Available as Web application

https://microusity.dev/

15 of 100

Target

15

Software Developers

Students

Free API security

online course

API security testing tool

16 of 100

Free Online Course

16

  • Video content about microservice and API security
  • Quiz
  • e-Certificate

17 of 100

Content In Course

17

  • Including 7 lessons + 1 sandbox demo

18 of 100

API Security Testing Tool

18

  • Support error tracing for BFF
  • Test by using Fuzzing Technique
  • Support HTTP 5xx Server error responses finding
  • Support JAVA Error Exception
  • Provide graph visualization report
  • Save test report history
  • Can be applied to BFF custom project

19 of 100

Sandbox BFF Project For Education

https://github.com/piomin/sample-spring-microservices-new

  • JAVA Spring Boot project
  • Microservice-based architecture
  • Simple CRUD operation for organization, department, employee
  • Contains Bff gateway service, Organization service, Department service, Employee Service

19

X

20 of 100

Applying to Lineman Wongnai BFF

  • BFF Microservice-based architecture for connects with Wongnai Merchant App (WMA)
  • BFF is built with NodeJS (JavaScript).
  • Core and other services are built with JAVA.

20

X

21 of 100

21

Implementation

22 of 100

Fuzzing Tool: RESTler

22

1

2

3

RESTler is the first Stateful REST API fuzzing tool.

RESTler will fuzz APIs according to the Swagger spec.

RESTler will identify the response and then report the possible vulnerabilities.

4

RESTler supports customization.

Reference: Atlidakis et al., RESTler: Stateful REST API Fuzzing, ICSE 2019�Website: https://www.microsoft.com/en-us/research/publication/restler-stateful-rest-api-fuzzing/

X

23 of 100

23

Network Monitoring Tool: Zeek

1

2

3

Zeek is network security monitoring tool with turing-complete scripting.

Zeek provides event-based computing that can be extended as needed.

Zeek focuses on trace and session rather than full packet data.

Reference: https://docs.zeek.org/en/current/

X

24 of 100

System Architecture

24

X

25 of 100

How Does Microusity Work?

25

X

26 of 100

26

Use Cases of Microusity

RESTler

BFF

Core API

Bad BFF and Bad Core API

Fuzzed API request

Fuzzed API request

4XX or 5XX status code

Leakage error exception detail

4XX or 5XX status code

Leakage error exception detail

  • Core API respond with leakage error exception detail
  • BFF respond with leakage error exception detail from Core API

X

27 of 100

Request Mapping

27

28 of 100

Test Report Design

28

X

29 of 100

Graph Visualization Design

29

X

30 of 100

DEMO

30

X

31 of 100

31

X

Evaluation

Microusity's educational course Security testing tool sandbox

32 of 100

32

X

Evaluation

  • Educational Content Evaluation
  • Security Testing Tool Online Questionnaire

  • Security Testing Tool User Interviews

  • Security Testing Tool Applied to Lineman Wongnai System

Microusity's educational course Security testing tool sandbox

*The user study is conducted by following the Mahidol Central Institutional

Review Board (IRB) guideline 2022/073.2503 (still under approval).

33 of 100

33

X

Evaluation - Educational Content

Recruitment

Do the pre-test

Watch Microusity Educational Video

Do the post-test

Evaluation procedure

34 of 100

34

X

Evaluation - Educational Content

Recruitment

Do the pre-test

Watch Microusity Educational Video

Do the post-test

Evaluation procedure

Understanding of the study participant of the educational content

by assessing the difference between pre-test and post-test score

What do we evaluate ?

35 of 100

35

X

Evaluation - Educational Content

Recruitment

14 IT Students

7 Non-IT students

Total of

21 research participants

36 of 100

36

X

Result - Educational Content

Pre-test score

of IT Student

Avg : 6.72

37 of 100

37

X

Result - Educational Content

Pre-test score

of IT Student

Avg : 6.72

Post-test score

of IT Student

Avg : 15.3

38 of 100

Result - Educational Content

Pre-test score

of IT Student

Avg : 6.72

Post-test score

of IT Student

Avg : 15.3

39 of 100

39

X

Result - Educational Content

Pre-test score

of Non-IT Student

Avg : 6.2

40 of 100

40

X

Result - Educational Content

Pre-test score

of Non-IT Student

Avg : 6.2

Post-test score

of Non-IT Student

Avg : 14.2

41 of 100

41

X

Result - Educational Content

Overall Pre-test score

42 of 100

42

X

Result - Educational Content

Overall Post-test score

43 of 100

43

X

Result - Educational Content

44 of 100

44

X

Evaluation - Security testing tool sandbox

Recruitment

Watch Microusity Security Testing Tool Demo video

Do the online

questionnaire

Evaluation procedure

Security Testing Tool Online Questionnaire

45 of 100

45

X

Evaluation - Security testing tool sandbox

Recruitment

Watch Microusity Security Testing Tool Demo video

Do the online

questionnaire

Evaluation procedure

Security Testing Tool Online Questionnaire

We evaluate the Microusity security testing tool sandbox on 4 criteria:

Ease of use, Clearness of the result, Real-world usage, User interface design

What do we evaluate ?

46 of 100

46

X

Recruitment

6 IT Students

6 Non-IT students

Total of

12 research participants

Evaluation - Security testing tool sandbox

Security Testing Tool Online Questionnaire

47 of 100

47

X

Result - Security testing tool sandbox

Security Testing Tool Online Questionnaire

48 of 100

48

X

Result - Security testing tool sandbox

Security Testing Tool Online Questionnaire

49 of 100

49

X

Result - Security testing tool sandbox

Security Testing Tool Online Questionnaire

50 of 100

50

X

Result - Security testing tool sandbox

Security Testing Tool Online Questionnaire

51 of 100

51

X

Result - Security testing tool sandbox

Security Testing Tool Online Questionnaire

52 of 100

52

X

Result - Security testing tool sandbox

Security Testing Tool Online Questionnaire

53 of 100

53

X

Result - Security testing tool sandbox

Security Testing Tool Online Questionnaire

54 of 100

54

X

Evaluation - Security Testing Tool

Recruitment

Schedule time & date for interview

Live interview

Evaluation procedure

Security Testing Tool Live Interview

Participant filled

out the consent form

Full-time software developer with microservice experience focused

55 of 100

55

X

Evaluation - Security testing tool sandbox

Recruitment

Schedule time & date for interview

Live interview

Evaluation procedure

Security Testing Tool Live Interview

Participant filled

out the consent form

We evaluate the Microusity security testing tool sandbox

on two aspects : usability and usefulness

What do we evaluate ?

56 of 100

56

X

Recruitment

5 participants from LMWN

1 participants from KBTG

Total of

8 research participants

Evaluation - Security Testing Tool

Security Testing Tool Live Interview

1 participants from Brikl

1 participants from Microsoft

  • Senior SW engineer (3 years with microservice)
  • Senior SW engineer (8 months with microservice)
  • SW engineer (2.5 years with microservice)
  • SW engineer (6 months with microservice)
  • Software architect (1.5 years with microservice)
  • Software engineer (2 years with microservice)
  • Software engineer (1 years with microservice)
  • Solution architect (6 years with microservices)

57 of 100

57

X

Result - Security Testing Tool

Security Testing Tool Live Interview

58 of 100

58

X

Result - Security Testing Tool

Security Testing Tool Live Interview

Test result is easy to understand

59 of 100

59

X

Result - Security Testing Tool

Security Testing Tool Live Interview

Graph visualization is easy to understand

60 of 100

60

X

Result - Security Testing Tool

Security Testing Tool Live Interview

The usability of the overall system

61 of 100

61

X

Result - Security Testing Tool

Security Testing Tool Live Interview

Test real-world usefulness

62 of 100

62

X

Result - Security Testing Tool

Security Testing Tool Live Interview

63 of 100

63

X

Result - Security Testing Tool

Security Testing Tool Live Interview

64 of 100

64

X

Evaluation - Real-world Application

Evaluation procedure

Security Testing Tool Applied to Lineman Wongnai BFF System

Test with LMWN BFF system from

April 2021 - March 2022 (based on commit time)

Run the test 3 times per commit

Find the average no. of issue of each commit

Manipulate the test result

65 of 100

65

X

Evaluation - Real-world Application

Evaluation procedure

Security Testing Tool Applied to Lineman Wongnai BFF System

Test with LMWN BFF system from

April 2021 - March 2022 (based on commit time)

Run the test 3 times per commit

Find the average no. of issue of each commit

Manipulate the test result

We evaluate the practicality of Microusity by applying it to a real-world BFF system

What do we evaluate ?

66 of 100

66

X

Result - Real-world Application

Security Testing Tool Applied to Lineman Wongnai BFF System

*Security audit and fixing done in Aug 2021

*Change in BFF implementation after Sep 2021

67 of 100

67

X

Result - Real-world Application

Security Testing Tool Applied to Lineman Wongnai BFF System

68 of 100

68

X

Result - Real-world Application

Security Testing Tool Applied to Lineman Wongnai BFF System

69 of 100

69

X

Result - Real-world Application

Security Testing Tool Applied to Lineman Wongnai BFF System

70 of 100

70

X

Result - Real-world Application

Security Testing Tool Applied to Lineman Wongnai BFF System

71 of 100

71

X

Challenges

  • Adopting RESTler tool Steep learning curve

Configuring the input to increase the API's coverage takes

an inordinate amount of time

Note : Each company has unique business logic, which makes data preparation for each test API prohibitively time consuming.

72 of 100

72

X

  • Adopting RESTler tool Steep learning curve

Configuring the input to increase the API's coverage takes

an inordinate amount of time

Note : Each company has unique business logic, which makes data preparation for each test API prohibitively time consuming.

  • Network interface of the LMWN BFF has been altered during our study

Challenges

73 of 100

73

X

  • Adopting RESTler tool Steep learning curve

Configuring the input to increase the API's coverage takes

an inordinate amount of time

Note : Each company has unique business logic, which makes data preparation for each test API prohibitively time consuming.

  • Network interface of the LMWN BFF has been altered during our study

  • Very difficult to recruit individuals for the evaluation process due to Covid-19

Challenges

74 of 100

74

X

Limitations

  • Support the exception leakage checking for JAVA only.

  • Supports tracking through the local loopback interface and interface to internal network only

75 of 100

75

X

Future Works

Refine the graph visualization

Improve User interface /

User experience design

Extend other exception leakage tracking on other languages

Add more leakage case on the sandbox project to have more example

76 of 100

76

X

Conclusion

Microusity is an educational platform and sandbox for security testing tools

The evaluation reported that our tool has a good usability and significant amount of real-world usefulness.

Therefore, the problem statements that we defined have been all addressed.

However, Microusity's technology still has room for improvement in terms of user satisfaction, usability, and market prospects, which we will address in our future work plan.

77 of 100

78 of 100

Requests Mapping Concept

78

X

Time

Without Error

Contain Error

Request A (failed)

B

C

B

C

Request A

Response A

Request B

Response B

...

79 of 100

Microusity testing process

79

X

80 of 100

80

81 of 100

81

Use Cases of Microusity

RESTler

BFF

Core API

1. Good BFF and Good Core API

Fuzzed API request

Fuzzed API request

4XX or 5XX status code

No Leakage error exception detail

4XX or 5XX status code

No Leakage error exception detail

  • Core API respond with no leakage error exception detail
  • BFF can drop the exception leakage error detail from Core API

X

82 of 100

82

Use Cases of Microusity

RESTler

BFF

Core API

2. Good BFF and Bad Core API

Fuzzed API request

Fuzzed API request

4XX or 5XX status code

Leakage error exception detail

4XX or 5XX status code

No Leakage error exception detail

  • Core API respond with leakage error exception detail
  • BFF can drop the leakage error exception detail from Core API

X

83 of 100

83

X

Evaluation - Security testing tool sandbox

Security Testing Tool Applied to Lineman Wongnai BFF System

Coverage Endpoint

84 of 100

Use case

84

X

85 of 100

RESTler: Working Steps

85

Reference: https://github.com/microsoft/restler-fuzzer

X

86 of 100

Current BFF Architecture at LMWN

86

X

87 of 100

Project detail

  1. To create an automated API testing tool to check BFF systems' API security vulnerabilities.

  • To implement visualization to easily display and view the results of API testing.

  • To integrate the result of API testing into continuous integration as part of the software development pipeline.

  • To educate and raise the learner's awareness about attack avoidance and microservices API security.

87

X

88 of 100

Scope of the Project

The scope of this project includes

  1. The proposed API security testing tool is available as a web application.
  2. The proposed API security testing tool only supports BFF design pattern for microservices architecture style.

88

X

89 of 100

Expected Benefits

  1. Provide a new detection tool for checking the API security of BFF microservice systems.

  • Help business organizations be aware of potential vulnerable API security risks in their microservice systems.

  • Strengthen the software development process to prevent sensitive data exposure and decrease API security risk.

  • Increase the awareness for the need of API security, as a result software will become more effectively safeguarded.

89

X

90 of 100

Related works comparison

90

91 of 100

5xx Resource Leakage Problem

91

https://www.microsoft.com/en-us/research/video/stateful-rest-api-fuzzing-with-restler/

Hacker can keep creating >> DoS

92 of 100

RESTler Compile

92

https://www.microsoft.com/en-us/research/video/stateful-rest-api-fuzzing-with-restler/

93 of 100

RESTler Test

93

https://www.microsoft.com/en-us/research/video/stateful-rest-api-fuzzing-with-restler/

94 of 100

Magic String

94

https://www.microsoft.com/en-us/research/video/stateful-rest-api-fuzzing-with-restler/

95 of 100

Focus of Our Solution

95

Responses with �HTTP 4xx, 5xx

Responses with �error leakage

(i.e., Java Exception)

96 of 100

Security testing tool online questionnaire

96

97 of 100

Security testing tool online questionnaire

97

98 of 100

Security testing tool online questionnaire

98

99 of 100

Security testing tool online questionnaire

99

100 of 100

Security testing tool online questionnaire

100