Behind the Curtains - The Story of a Backstage RCE
The recent rise in popularity of Developer portals, which integrate critical assets within the organization, makes them lucrative targets for threat actors. Having more than 19,000 stars on Github and used by various organizations, including American Airlines, Netflix and Epic Games, Backstage - a CNCF incubated project by Spotify, is one of the most popular open source platforms for building developer portals.
This presentation will showcase how we gained unauthenticated remote code execution rights on a Backstage application through a complex exploitation chain of various vulnerabilities. The chain includes a sandbox escape vulnerability we discovered along the way, improper authentication implementation, and the abuse of the integrated templating engine.
By the end of this presentation, you will have an understanding of the thought process that guided us through the research, including mapping the attack surfaces, choosing the components in the app that were most likely to become exploited, and how we managed to chain them all together to achieve the ultimate goal.