Detecting Taint-Style Vulnerabilities in Microservice-Structured Web Applications

Microservice architecture has been becoming increasingly popular for building scalable and maintainable applications. A microservice-structured web application (shortened to microservice application) enhances security by providing a loose-coupling design and enforcing the security isolation between different microservices. However, in this paper, our study shows microservice applications still suffer from taint-style vulnerability, one of the most serious vulnerabilities. We propose a novel security analysis approach, named MScan, that can effectively detect taint-style vulnerabilities in real-world evolving-fast microservice applications. Our approach mainly consists of three phases. First, MScan identifies the entry points accessible to external malicious users by applying a gateway-centric analysis. Second, MScan utilizes a new data structure, i.e. service dependence graph, to bridge inter-service communication. Finally, MScan employs a distance-guided strategy for selective context-sensitive taint analysis to detect vulnerabilities. By applying MScan on 25 open-source microservice applications and 5 industrial microservice applications from a world-leading fintech company, we found MScan can effectively vet these applications with the discovery of 59 high-risk 0-day vulnerabilities. We have conducted responsible vulnerability disclosure. Up to now, 31 CVE identifiers have been issued.