TEAM Betatesters &

Editor-in-Chief

Joanna Kretowicz 

Proofreaders
joanna.kretowicz@eforensicsmag.com
Lee McKenzie
Editors:
Hammad Arshed
Marta Sienicka

sienicka.marta@hakin9.com Ali Abdollahi

Dominika Zdrodowska Robert Fling

dominika.zdrodowska@eforensicsmag.com
Paul Mellen
Marta Strzelec

marta.strzelec@eforensicsmag.com Bernhard Waldecker

Bartek Adach Avi Benchimol

bartek.adach@pentestmag.com
Amit Chugh
Proofreader:
Lee McKenzie Kevin Goosie

Senior Consultant/Publisher: 

Paweł Marciniak 

CEO: 

Joanna Kretowicz 

joanna.kretowicz@eforensicsmag.com 

Marketing Director: 

Joanna Kretowicz 

joanna.kretowicz@eforensicsmag.com

DTP 

Marta Sienicka

sienicka.marta@hakin9.com

Cover Design
Hiep Nguyen Duc
Joanna Kretowicz

Publisher 

Hakin9 Media Sp. z o.o.

02-676 Warszawa

ul. Bielawska 6/19

Phone: 1 917 338 3631 

www.hakin9.org

All trademarks, trade names, or logos mentioned or used are the

property of their respective owners.

The techniques described in our articles may only be used in private,

local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
Dear Readers!

In this month’s edition, we decided to focus on Ransomware, so you will read about various examples of ransomware

attacks that happened in the past (WannaCry, for example), and how to protect your system by detecting this threat. Let’s

see what’s inside!

To better understand ransomware, we recommend reading the Ransomware Campaign article, where you will see how

those deadly attacks are performed, how encryption and decryption are used by attackers. For a more practical approach,

Case Study of Ransomware Detection will be perfect reading for you. In this article, authors present how Machine

Learning is used to uncover ransomware, what’s the best methodology for ransomware detection, and how to secure your

system against potential threats.

A different approach is offered by Android Applications: Ransomware Detection, where the focus is on mobile phones and

the Android system. It’s a very detailed research paper, which shows how vulnerable your device can be. We also have a

small publication dedicated to using Python for ransomware creation.

As always, we also prepared articles about other topics! We start with BARBARUS Pi Raspberry Pi: Attacking Robot, which

is a great tutorial for hardware fans. In the article Advanced research and use of modules with Metasploit the author’s

main goal is to automate penetration testing tools in Python. As you can guess, their focus is on Metasploit.

While on the topic of penetration testing, you will take a closer look at Gathers - a tool that enhances information

gathering. Gathers is a fairly new project, it features a user-friendly graphic interface allowing easy approach, even for less

experienced users. While reading this edition you will also explore vulnerabilities in Register files and see how hardware

trojans can inject faults during reading or retention mode. Spring Security Framework and OAuth2 To Protect Microservice

Architecture APIÂ and Packet Sniffing: Introduction close this edition.

We would like to send a big thank you to all contributors that joined this edition! Without you, this amazing issue wouldn’t

be possible. Special thanks to all the reviewers and proofreaders involved in the process of creating this issue.

Summertime is slowly approaching and despite the still active threat from COVID-19, we hope that you will have a chance

to relax and enjoy your free time. Stay safe and positive!

Enjoy the reading,

Hakin9 Editorial Team

3
4
5
BARBARUS PI
RASPBERRY PI:
ATTACKING
ROBOT
MASSINISSA IMMOUN
Paris Descartes University – Cybersecurity Master

Faculty of Mathematics and Computer Science Paris, France.

massinissa.immoun@etu.parisdescartes.fr

7
ALEXANDRE BERESKI

Paris Descartes University – Cybersecurity Master

Faculty of Mathematics and Computer Science Paris, France.

alexandre.bereski@free.fr

8
 BARBARUS Piaspberry Pi: Attacking Robot

Introduction

Cyber security is an increasingly important issue for companies. Every year, computer attacks represent a significant sum
lost for companies.

In this article, we will take you through the different steps to perpetrate one of these attacks by putting ourselves into the
position of an employee being fired who wants to harm his ex-company.

To reach our objective, we have programmed a software framework for an attacking robot to trigger payback and revenge
operations through automated actions triggered by a Python-based Raspberry Pi piggybacked by a smart car (Reboot car
shown in Figure 2).

We will finally propose a response action to stop the attacks and mitigate the risks.

Material used

Figure 1 - Raspberry Pi 3 Figure 2- Rebot: Smart Car

Scan, vulnerabilities and exploit

As illustrated in figure 3, our robot is built to attack the target using two different methods, first by scanning the hosts for
vulnerabilities and the second by social engineering.

9
 BARBARUS Piaspberry Pi: Attacking Robot

Figure 3 - Barbarus Pi: Main Menu

1. Hosts discovering

First, we will scan the local network that our robot is connected to, to identify all living hosts by using python-Nmap.

Figure 4 - Hosts discovering

10
RANSOMWARE
CAMPAIGN
 OUALID BOUCHENAK &
AHMED BENCHEIKH
Oualid Bouchenak and Ahmed Bencheikh, two computer science students

at Paris Descartes University, studying Cybersecurity domain in a master’s

degree.

Very passionate about cybersecurity, we like to solve challenges,

participate in CTF and are always interested in learning new things.

Contact us:

oualid.bouchenak@etu.parisdescartes.fr

ahmed.bencheikh@etu.parisdescartes.fr

12
 Ransomware Campaign

Introduction

Ransomware is a malicious software that stealthily gets installed in our computer or mobile device and displays messages
demanding a fee to be paid in order for your system to work again and get back your encrypted files. As with every malware,
ransomware can be installed through deceptive links in an email message, instant message or a website.

Ransomware attacks are nowadays a trend because they’re very easy to create and dissimulate and hardly detectable for the
victims, and, of course, people and companies actually pay the ransom.

Understanding and creating ransomware

Explaining how most of them work

For the creation of our ransomware, we took an example of the well known “wannaCry” that encrypts data on a computer
that has been infected and then tells the user that their files have been locked and displays information on how much is to
be paid and when payment is taken through Bitcoin (a payment medium). That is how most ransomware works.

Encryption:

In order to quickly encrypt and decrypt files, ransomware uses two kinds of cryptography combined, symmetric and
asymmetric. This is called a “hybrid encryption scheme”.

• When the ransomware starts running, it generates a pair of keys for the client (C_pub & C_prv).

13
 RF-TROJAN:
LEAKING
KERNEL DATA
USING REGISTER
FILE TROJAN
 MOHAMMAD NASIM
IMTIAZ KHAN

Mohammad Nasim Imtiaz Khan currently works at the Department of

Electrical Engineering, Pennsylvania State University. Mohammad Nasim

Imtiaz does research in hardware security with a focus on emerging

Non-Volatile Memorie.

15
 ASMIT DE

I am currently pursuing PhD in Computer Science and Engineering under

the guidance of Dr Swaroop Ghosh in the Lab of Green and secure

Integrated Circuit Systems (LOGICS) at Penn State University. My

research is focused on leveraging hardware security primitives for system

security applications.

16
 SWAROOP GHOSH

Swaroop Ghosh received the B.E. (Hons.) from IIT, Roorkee, India, the

M.S. degree from the University of Cincinnati, Cincinnati, and the Ph.D.

degree from Purdue University, West Lafayette. He is an assistant

Professor at Penn State University. Earlier, he was with the faculty of

University of South Florida. Prior to that, he was a Senior Research and

Development Engineer in Advanced Design, Intel Corp. At Intel, his

research was focused on low power and robust embedded memory

design in scaled technologies. His research interests include low-power

circuits, hardware security, quantum computing and digital testing for

nanometer technologies.

17
 RF-Trojan: Leaking Kernel Data Using
Register File Trojan

Register Files (RFs) are the most frequently accessed memories in a microprocessor for fast and efficient computation and
control logic. Segment registers and control registers are especially critical for maintaining the CPU mode of execution that
determines the access privileges. In this work, we explore the vulnerabilities in RF and propose a class of hardware Trojans
that can inject faults during read or retention mode. The Trojan trigger is activated if one pre-selected address of L1
data-cache is hammered a certain number of times. The trigger evades post-silicon test since the required number of
hammering to trigger is significantly high even under process and temperature variation. Once activated, the trigger can
deliver payloads to cause Bitcell Corruption (BC) and inject read error by Read Port (RP) and Local Bitline (LBL). We
model the Trojan in GEM5 architectural simulator performing a privilege escalation. We propose countermeasures such as
the read verification leveraging multi-port feature, securing control and segment registers by hashing and L1 address
obfuscation.

1. INTRODUCTION

Hardware Trojan [1] is a malicious modification in a circuit that causes a chip to perform undesirable operations. Ideally,
these modifications made to an Integrated Circuit (IC) should be detected during pre-Silicon verification and post-Silicon
testing. In order to evade such structural and functional testing, an adversary designs the Trojan to activate only under
certain rare conditions and to remain undetected during the test phase. For example, the analog Trojan trigger proposed in
[2] charges a capacitor every time an instruction is being executed. After a few cycles, the capacitor charges up and asserts a
signal used to flip some specific bits of control logic and can escalate the adversary’s user privilege.

Hardware Trojan is composed of two parts: Trigger and Payload [3], [4]. A Trojan trigger similar to [5] has been considered
in this work (details in Section II.A). Once triggered, the Trojan delivers payloads to the Register File (RF) such as Bitcell
Corruption (BC), Read Port (RP) and Local Bitline (LBL) Trojans. The RP and LBL Trojans inject read errors. Note that we
have considered the trigger proposed in [5] (over [2]) since it, i) is robust against process and temperature variation; ii)
evades post silicon testing and system level detection mechanisms; and, iii) incurs less area overhead.

We note that RF stores security critical information and tampering can lead to leakage of sensitive data. For example, a
code segment (CS) register file contains a Current Privilege Level (CPL) field that determines whether the CPU is currently
executing in user mode or kernel mode. User mode processes are restricted from accessing data from the kernel space
based on the CPL set in the CS register. The adversary can take control of the kernel mode by manipulating the RF entry
that stores the execution mode and run unauthorized operations.

Attack Model: We have assumed that the Trojan trigger and payload has been either inserted by the designer or by the
untrusted fabrication house. The adversary is a user who is sponsored by the fabrication house and is aware of the trigger
requirements. After the deployment of the chip in the market, an adversary can launch a malicious program to activate the
trigger. The adversary can then deploy the desired payloads using the proposed BC/RP/LBL Trojans. Note that even if the
trigger is activated, BC/RP/LBL Trojans can remain dormant (until payload deployment conditions are met) and the
system functions normally. The Trojan payload changes the CPL field in the CS register from 3 (user mode) to 0 (kernel
mode). This essentially escalates the privilege of the adversary’s process and allows access to kernel space.

18
CASE STUDY OF
RANSOMWARE
DETECTION
 CHIH-YUAN YANG

Security and Privacy Research, Intel Labs, Hillsboro, Oregon, USA

20
 RAVI SAHITA
Ravi Sahita is a principal engineer in Intel Labs. He is experienced in

computer security, virtualization, systems software and computer

networking; design and development of systems and application software,

novel cpu instruction-set extensions, hypervisors, network stacks and

developing inter-operable standards; defining novel platform architecture

to create innovative solutions; working with cross-group teams,

developing modular, scalable software to create quality products;

delivering quality software licensed to partner software companies;

workload and performance analysis to define hardware approaches for

computer security at the processor, chipset and device level.

21
 Case Study of Ransomware Detection

The damage caused by crypto-ransomware, due to encryption, is difficult to revert and causes data losses. In this article, a
machine learning (ML) classifier was built to early detect ransomware (called crypto-ransomware) that uses cryptography
by program behavior. If a signature-based detection was missed, a behavior-based detector can be the last line of defense to
detect and contain the damages. We find that input/output activities of ransomware and the file-content entropy are
unique traits to detect crypto-ransomware. A deep-learning (DL) classifier can detect ransomware with a high accuracy and
a low false positive rate. We conduct adversarial research against the models generated. We use simulated ransomware
programs to launch a gray-box analysis to probe the weakness of ML classifiers to improve model robustness. In addition to
accuracy and resiliency, trustworthiness is the other key criteria for a quality detector. Making sure that the correct
information was used for inference is important for a security application. The Integrated Gradient method was used to
explain the deep learning model and also to reveal why false negatives evade the detection. The approaches to build and to
evaluate a real-world detector were demonstrated and discussed.

I. INTRODUCTION

Ransomware is a type of malware that hijacks a user’s resource or machine and demands a ransom. It was estimated to cost
business more than $75 billion in 2019 and continues to be a problem for enterprises [1]. Ransomware can be divided into
two main categories, the locker- and the crypto- ransomware [10]. The locker-ransomware hijacks resources without using
encryption, but crypto-ransomware does. Due to the encryption, the file encrypted by the crypto-ransomware, in most
cases, is difficult to revert or decrypt. Even with a proper backup, there is still a chance to miss partial data between
ransomware strike and the last backup. An endpoint protection software based on binary signature may not be able to block
an unseen ransomware. The behavior-based detection [19], combined with a proper backup mechanism, was proposed to
be one of the mitigation solutions.

In this article, machine learning (ML) and deep learning (DL) classifiers were proposed to early detect the
crypto-ransomware based on its behaviors. These classifiers can monitor the pattern of input/output (I/O) activities and
can minimize the damages by an early detection. The detector could be a part of an endpoint protection application and
help to find a new ransomware if static-based detection can’t catch it (Figure 1). Although few files may get encrypted
before the detection, the dynamic-based classifier would still be valuable if most of the data can be saved for an enterprise
user with lots of data in shared drives.

To collect the behavior data, the ransomware was executed in a Windows sandbox system and their file I/O activities were
logged. The time-series data was analyzed by the DL algorithm, long short term memory (LSTM), and ML algorithm,
N-gram featured linear support vector machine (SVM). We found that a naive trained classifier, even with good accuracy
(˜98%) and low false positive rate (˜1-3%), didn’t perform well at real-world deployment. Issues include: 1. Ransomware
can’t be detected early; 2. The accuracy is sensitive to the size of the sliding window and 3. False alarms from some
applications, etc.

22
 ADVANCED
RESEARCH AND
USE OF
MODULES WITH
METASPLOIT
 FLORIAN HOFF
23-year-old cyber security student at Université de Paris, France. He

majored his license degree in 2019. His favorite language is C. He likes

horse riding and Wing Chun, a Chinese martial art.

Florianhoff9@gmail.com

24
 ADRIEN ROGLIANO

ROGLIANO Adrien, 22-year-old cyber security student at Université de

Paris, France. He is currently preparing for the OSCP certification.

rogliano.adrien@gmail.com

25
 CASSIOPÉE VANNIER

21-year-old mathematics student at Université de Paris, France. She is

interested in the English language and learning computer science through

her friends.

Cassiopee.vannier@gmail.com

26
 Advanced research and use of modules with
Metasploit

In this article, our aim is to automate penetration testing tools in Python. We will focus on improving one of those tools -
Metasploit - in order to use autopwn, which fires all penetration testing tools at once. Those tools are called modules. They
can be offensive ones, such as exploits and payloads, or supportive, like auxiliaries.

Metasploit enables you to research compatible modules for each remote target before deployment. Every tool has its pros
and cons. One of the major inconveniences of Metasploit is its module searching algorithm. Indeed, searches are not precise
enough and, hence we get many unwanted and incompatible modules compared to the initial searching criteria. That is why
we created this project. We wanted to provide a solution to use autopwn in a smooth and optimal way.

Prerequisite

I. Python 3.6 or latest

1. Knowing your Python3 version:

$ python3 --version

2. Updating your Python3 version:

2.1. If you run under Ubuntu 16.10 or latest:

$ sudo apt update

$ sudo apt install python3.6

2.2. If you have another version of Ubuntu:

$ sudo apt-get install software-properties-common

$ sudo add-apt-repository ppa:deadsnakes/ppa

$ sudo apt-get update

$ sudo apt-get install python3.6

2.3. Other Linux versions:

$ sudo apt update

$ sudo apt install python3.6

27
USING PYTHON
FOR
RANSOMWARE
CREATION
PART 1
 NIMA DABBAGHI
I am Nima Dabbaghi.

In my job I mostly use Python. Along with it, I am also interested in

penetration testing and I try to learn new things every day. I am currently

working as a software developer and security consultant for software at

turkcell. I’m also a key member of Lian's programming and penetration

testing discussion.

My other hobbies:

Solve Hackthebox's challenges and machines! I also enjoy playing PS4

games and fitness ;)

I am happy to share my knowledge with you on Hakin9 and provide you

with useful information.

29
 Using Python for Ransomware Creation Part 1

What is ransomware?

Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical
data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access.
Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly
paralyze an entire organization. It is a growing threat, generating billions of dollars in payments to cybercriminals and
inflicting significant damage and expenses for businesses and governmental organizations.

How does ransomware work?

Ransomware uses asymmetric encryption. This is cryptography that uses a pair of keys to encrypt and decrypt a file. The
public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files
stored on the attacker’s server. The attacker makes the private key available to the victim only after the ransom is paid,
though as seen in recent ransomware campaigns, that is not always the case. Without access to the private key, it is nearly
impossible to decrypt the files that are being held for ransom.

Many variations of ransomware exist. Ransomware (and other malware) is often distributed using email spam campaigns
or through targeted attacks. Malware needs an attack vector to establish its presence on an endpoint. After presence is
established, malware stays on the system until its task is accomplished.

After a successful exploit, ransomware drops and executes a malicious binary on the infected system. This binary then
searches and encrypts valuable files, such as Microsoft Word documents, images, databases, and so on. The ransomware
may also exploit system and network vulnerabilities to spread to other systems and possibly across entire organizations.

Once files are encrypted, ransomware prompts the user for a ransom to be paid within 24 to 48 hours to decrypt the files, or
they will be lost forever. If a data backup is unavailable or those backups were themselves encrypted, the victim is faced
with paying the ransom to recover personal files.

Python Libraries to Create a Ransomware

Let’s find out which libraries can help us to make ransomware with sweetie Python.

Moshe Zadka says: The first rule of cryptography club is: never invent a cryptography system yourself. The second rule of
cryptography club is: never implement a cryptography system yourself: many real-world holes are found in the
implementation phase of a cryptosystem as well as in the design.

There are many libraries for cryptography such as:

• PyCryptodome

• PyNaCl

30
AUTOMATED
PENTESTING
TOOL
 TASSADIT AIT RAMDANE
Cybersecurity master's program student at Paris Descartes

University. Interested in penetration testing and risk analysis.

32
 KRYSTIAN LUCZYSZYN
Cybersecurity master's program student at Paris Descartes

University. Keen on penetration testing and network analysis.

HackTheBox is my daily challenge!

33
 Automated Pentesting Tool

This article will discuss a new Python tool that we have implemented to perform information gathering more efficiently.

Whatever type of hack you plan, the first step is always to collect information, the quality of which will be decisive to
achieve your goal. In fact, it involves gathering publicly available information about the target, network scanning and
vulnerability assessments. Now, how about a tool designed to automate pen testing steps? Gathers is a new Python tool that
can be used by a cybersecurity beginner or an expert to perform recon and scanning of IT systems.

A new Python tool:

Like many other pentesting tools, we chose Python to implement in this project. Python is a hugely useful programming
language for cybersecurity. It can perform a multitude of functions such as malware analysis, scanning and penetration
testing. It is used not only by  pentesters but also by hackers to develop script kiddies. This tool uses known and powerful
Python libraries like Nmap, Shodan, and Nessus. However, the use of those libraries requires highly specialized skills in
cybersecurity and programming.

Figure 1 Gathers interface

Gathers is a new project aiming to simplify the use of these Python libraries. It features a user-friendly graphic interface
allowing easy approach, even for less experienced users. Indeed, this tool can perform Whois lookup, search engine, 
network scanning and much more in only a few clicks.  Gathers also guides the user step-by-step through the first two
stages of pentesting: Reconnaissance and Scanning.    

Pentesting begins with information gathering. The goal of this  phase is to gain as much information as possible about the
target. Information could be employees’ emails, Internet protocol addresses, details about the target’s organizations,
systems and processes. Needless to say,  during this stage,  pentesters  proceed to a network mapping and target
identification.

Reconnaissance can be divided into two main phases: footprinting and fingerprinting.

In the passive information gathering (footprinting) process, we are collecting information about the targets using publicly 
published resources. This can be used with Google Dorks, Whois information or in emails harvesting. We can then use
these emails to initiate, for example, a social engineering attack.

In active Information Gathering (fingerprinting), we can gather more information  by actively interacting with the target.
Since fingerprinting makes a direct connection to the target, doing this without authorization can be illegal. It involves

34
 ANDROID
APPLICATIONS:
RANSOMWARE
DETECTION
DR. IMAN ALMOMANI
Associate Professor, Lab Leader of the Security

Engineering Lab

36
 SAMAH ALSOGHYER
Samah Alsoghyer currently works at the C4C, King Abdulaziz City for

Science and Technology. Samah does research in Computer Security and

Reliability.

37
 Android Applications: Ransomware Detection

Android ransomware is one of the most threatening attacks nowadays. Ransomware in general encrypts or locks the files on
the victim’s device and requests a payment in order to recover them. The available technologies are not enough as new
ransomware employ a combination of techniques to evade antivirus detection. Moreover, the literature counts only a few
studies that have proposed static and/or dynamic approaches to detect Android ransomware in particular. Additionally,
there are plenty of open-source malware datasets; however, the research community is still lacking ransomware datasets. In
this paper, the state-of-the-art of Android ransomware detection approaches were investigated. A deep comparative
analysis was conducted which shed the key differences among the existing solutions. An application programming interface
(API)-based ransomware detection system (API-RDS) was proposed to provide a static analysis paradigm for detecting
Android ransomware apps. API-RDS focuses on examining API packages’ calls as leading indicators of ransomware activity
to discriminate ransomware with high accuracy before it harms the user’s device. API packages’ calls of both benign and
ransomware apps were thoroughly analyzed and compared. Significant API packages with corresponding methods were
identified. The experimental results show that API-RDS outperformed other recent related approaches. API-RDS achieved
97% accuracy while reducing the complexity of the classification model by 26% due to features reduction. Moreover, this
research designed a proactive mechanism based on a high quality unique ransomware dataset without duplicated samples.
Alomst 3,000 ransomware samples were collected, tested and reduced by almost 83% due to sample duplication. This
research also contributes to constructing an up-to-date, unique dataset that covers the majority of existing Android
ransomware families and recent clean apps that could be used as a labeled reference for the research community.

1. Introduction

Computers and electronic devices are vulnerable to viruses and all kinds of attacks. In the early days of computers, users
used to suffer from different malicious attacks like viruses, spywares, trojan horses, worms, etc. But the first ransomware
documented in 1989 was a new variant of trojan called AIDS (Aids Info Disk) Trojan. That trojan hid the directories and
encrypted the names of the files. Then, it displayed a notification to “renew the license” of a fake software and required a
payment to unlock it [1]. It is important to note, however, that even if the victim pays the requested ransom, it is not
guaranteed that the captive data will be reachable again.

A pronounced trend in recent years has been shifted towards ransomware [2,3]. In 2016, due to a vulnerability in the
Windows operating system, the ransomware WannaCry affected more than 150 countries and an estimated 300,000 people
worldwide over a weekend [4,5]. The estimates for the potential costs from this hack was $4 billion [6]. Furthermore,
Verizon’s 2017 data breach investigations report 2017 [7] announced that 72% of all healthcare malware attacks in 2017
were ransomware.

It is known that ransomware mostly targets Windows computers but, as stated by SophosLabs 2018 Malware Forecast [8],
this year witnessed an amount of crypto-attacks on different devices and operating systems including Android. According to
the same report, Android ransomware is expected to continue to increase and dominate as the primary type of malware on
Android platform in the coming year. Also, Android ransomware is especially severe because private information and
photos are kept on Android mobiles. Android noticeably continues to increase its sizable lead over iOS and other operating
systems in the world [9,10] as it occupied 76.61% of the market share in 2018 [11]. The share of the Android platform

38
 APPLYING SPRING
SECURITY FRAMEWORK
AND OAUTH2 TO
PROTECT MICROSERVICE
ARCHITECTURE API
 QUY NGUYEN
Southern Institute of Technology · Department of Information Technology

40
 ORAS F. BAKER

Oras Baker received his PhD in artificial intelligence from the University of

Malaya in 2009. He is currently the head of School of Computing and the

programme manager for postgraduate studies and master of IT at the

Southern Institute of Technology, Invercargill, New Zealand. His research

interests include artificial intelligence, web intelligence, virtual and

augmented reality techniques, data mining, IOT, and energy efficiency.

41
 Applying Spring Security Framework and OAuth2 To
Protect Microservice Architecture API

Since 2014, Microservice Architecture (MSA) has been widely applied and deployed by big companies such as Google,
Netflix and Twitter. This is a way of architecting software systems in which the services of a single application are
decomposed then deployed and executed separately. This research examines the possibility of applying Spring Security
Framework and OAuth2 to secure microservice APIs that are built on top of Spring Framework. By developing a Proof of
Concept (POC) of an Inventory Management System using MSA on top of Spring Framework, Spring Security Framework
and OAuth2, we have conducted security tests over the POC using unit testing and manual testing techniques to examine if
there are any vulnerabilities and we were able to show and confirm the effectiveness of the Spring Security Framework and
OAuth2 in securing Spring-based APIs.

1. Introduction

The traditional monolithic approach of software architecture requires the entire application stack to be bundled together
for each deployment. This concept creates many drawbacks for the application, especially the inflexible scalability, the high
cost of resources and refactoring effort, and difficulties of the DevOps between distributed teams [1]. Microservice
Architecture (MSA) is supposed to address these problems by decomposing the application into separated services; each
service takes responsibility for a single business capability and is deployed and executed independently.

Applications communicate with each other via the network communication protocols and the Internet, so that this
architectural style heavily depends on the Application Programming Interfaces (API). Given that, APIs in a microservice
application are required to be appropriately secured to protect the application and its resources against the threats that deal
with API invocations.

The aim of this research is to reduce the knowledge gap on MSA and API security by developing a Proof of Concept (POC) of
an MSA application using Spring Framework, Spring Security, and OAuth2, then performs security testing using Unit
Testing and Manual Testing techniques over the POC.

2. Background and Literature Review

Since the very first assessments by enterprises for the effectiveness and the impact of MSA to enterprises by 2012 [2],
interest in MSA has significantly increased over recent years, according to Google Trends statistics [3]. MSA are being
implemented by big companies to scale their applications in the cloud in an efficient way, to reduce complexity, to quickly
expand development teams and to achieve agility [4]-[6]. Netflix, Amazon, and SoundCloud are just some of the big firms
that have adopted MSA for their enterprise and web applications and deliver their services all over the world [7], [8].

Regardless of the vital role of API security in MSA, the literature review shows that the studies that focus on MSA at API
endpoint level are just a few. There is a study conducted by Salibindla (2018) on Microservice API security; however, this
study focused on security for the communication protocols and did not provide an implementation guide for any specific
language. Xie, Han et al. (2017) [10], also performed a study on the design and implementation of Spring Security.
Nevertheless, these studies were conducted separately, and there exists no study that confirms the effectiveness of Spring
Framework (SF), Spring Security Framework (SSF), and OAuth 2.0 (OAuth2) when these technologies are applied to

42
 PACKET
SNIFFING:
INTRODUCTION
 ISMAIL AHMED
Ismail is a telecommunication Engineer who recently graduated from

HUST University in Wuhan and has been involved in pen-testing for web

applications with a strong background in scripting and networking. Feel

free to send any questions via my email (esmail19980@gmail.com).

44
 Packet Sniffing: Introduction

INTRODUCTION

These days, most people are paranoid of the words “CYBERATTACK”, “HACKING”, but not me. It’s one of my biggest
dreams to become a Cybersecurity specialist (or Cybersecurity PRO) one day because I have found no privacy at all on the
internet in our daily life. After I did so many legal and illegal tests on the networks and I discovered so many failures, for
instance misconfigurations, security breaches, human errors and much more. Thus, I have decided to solve one of the most
common attacks called (PACKET SNIFFING) or (MITM) aka “Man In The Middle” attack.

WHAT IS A PACKET SNIFFING?

Sniffing in general terms refers to investigating something covertly in order to find confidential information. From an
information security perspective, sniffing refers to tapping the traffic or routing the traffic to a target (shown in fig.1) where
it can be captured, analyzed, and monitored. Sniffing is usually performed to analyze the network usage, troubleshooting
network issues, monitoring the session for development and testing purposes.

WHO IS USING IT?

● System Administrators (legal)

○ To monitor the flow of network traffic

○ Troubleshoot communication problems

○ Understand system problems and performance

○ Intrusion detection

○ Debug Network protocol implementation

○ Detection of erroneous packet flow through the network

○ Gather and report network usage and statistics

45