Broker Injection
   HOME

TheInfoList



Click Here for Items Related To - Broker Injection
OR:
Broker Injection on:   [Wikipedia]   [Google]   [Amazon]

Broker injection attack is a type of
vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." The understanding of social and environmental vulnerability, as a methodological approach, involves ...
that exploits misconfigured brokers, potentially allowing an attacker to read, write and inject information from/into their flow.


Description

There are many scenarios in which a broker is used to transport the information between tasks. One of the most typical use cases is send e-mails in background. In this scenario we'll have two actors: * An information producer (a website, for example). * A worker or background process who actually sends the e-mail. The producer needs an asynchronous and non-blocking way to send the email information to the worker. This system is usually a broker. It takes the information from the web front-end and passes it to the worker, generating a new task in the worker. So, the worker has all the information to send the e-mail. Taking the above scenario as an example, if we could access the broker, we would be able to make the worker generate new tasks with arbitrary data, unleashing a broker injection.


Attacks

With this in mind, we could make the following attacks: * Listing remote tasks. * Reading a remote task's contents. * Injection of tasks into remote processes. * Removing remote outstanding tasks.


Origin

The broker injection attack is not new, but it didn't have a name. This name was coined by Daniel García (cr0hn) at the RootedCON 2016 conference in
Spain Spain, or the Kingdom of Spain, is a country in Southern Europe, Southern and Western Europe with territories in North Africa. Featuring the Punta de Tarifa, southernmost point of continental Europe, it is the largest country in Southern Eur ...
.


See also

*
Redis Redis (; Remote Dictionary Server) is an in-memory key–value database, used as a distributed cache and message broker, with optional durability. Because it holds all data in memory and because of its design, Redis offers low- latency reads ...
*
RabbitMQ RabbitMQ is an open-source message-broker software (sometimes called message-oriented middleware) that originally implemented the Advanced Message Queuing Protocol (AMQP) and has since been extended with a plug-in architecture to support Str ...
* ZeroMQ *
Message broker A message broker (also known as an integration broker or interface engine) is an intermediary computer program module that translates a message from the formal messaging protocol of the sender to the formal messaging protocol of the receiver. Mes ...
* Celery (software)


References


External links


Official Redis security tips

Enteletaor: The broker injection tool

Broker injection in RootedCON 2016 (Spanish)
{Dead link, date=October 2019 , bot=InternetArchiveBot , fix-attempted=yes Hacking (computer security) Machine code Injection exploits Computer network security