Boosting Application Security Using OpenTelemetry

Every day, we hear about new vulnerabilities or exploits that underline the importance of application security in today’s connected world. Such incidents put sensitive user information at risk and threaten applications’ infrastructure. Securing applications is therefore crucial not only from a technical standpoint but also to maintain user trust and ensure service reliability. The challenge lies in identifying and mitigating potential security threats before they can be exploited. Unfortunately, this often involves the cumbersome task of sifting through logs and gathering insights from vast amounts of data. Taking a reactive approach can cause significant delays in threat detection, leaving vulnerabilities open to exploitation, if they are discovered at all! 

OpenTelemetry is a solution that can help address the challenge of application security. It provides a unified framework for collecting detailed telemetry data, including traces, metrics, and logs. This approach enables a proactive approach to security monitoring, as it provides a comprehensive view of application behavior, making it easier to spot anomalies that could indicate security issues. With OpenTelemetry, the process of manually searching for potential security issues is replaced by an integrated and automated process, which enhances the ability to identify and rectify vulnerabilities quickly. This approach not only bolsters application security but also contributes to a safer and more secure digital environment for users.

With that in mind lets put it to the test and see if we cant start to spot some intentional vulnerabilities in the wild. 

Spinning up an insecure demo app

For this demonstration, we will be using the OWASP Juice Shop demo app which is designed to showcase the common security issues encountered in applications. This is different from our usual demo setup process and will help us save some time while demonstrating the necessary concepts for training purposes. 

For this we are going to need a few things set up first: 

• Docker 
• NodeJS
• Clone the Juice Shop App to a dev environment
• If you haven’t already sign-up for a lumigo account, you will also need to retrieve your access token. 

It is important to note that this is a purposely created vulnerable application, and should not be deployed in any public or production environment as it is likely to be attacked. 

This first part of this is going to be the easiest as finding vulnerabilities, even intentionally scripted ones, can be problematic because they are usually the result of many factors to instigate a successful attack vector. Spotting them, once you know what you are looking for, is a whole other story which is what we are going to look at in this post. 

To begin, we are going to deploy OpenTelemetry to the app using the lumigo no-code approach from the Lumigo JS distro.

In a terminal, navigate to the directory where you cloned the code and add the lumigo NodeJS distro using npm -i @lumigo/opentelemetry. Alternatively, you can open the package.json and add "@lumigo/opentelemetry": "^1.37.0", anywhere within the dependencies. 

Now we just need to add a few environmental variables, open the Dockerfile, near the bottom of the file just before EXPOSE 3000 add these:

ENV OTEL_SERVICE_NAME=juice-shop

ENV NODE_OPTIONS="-r @lumigo/opentelemetry"

This will invoke the lumigo node distribution within the container and also give the application a OpenTelemetry service name on Lumigo. 

With that all done, we only need to build and then run the app, and set the Lumigo token so that the trace data arrives at your lumigo instance. 

docker build -t your-custom-juice-shop .
docker run –rm -p 3000:3000 -e LUMIGO_TRACER_TOKEN={lumigo_token} your-custom-juice-shop

Once its finished building and is up and running, open a browser to http://localhost:3000 and you should now see the OWASP Juice Shop app.

Open your lumigo dashboard and navigate to the Live Tail tab, click around the demo app and you should start to see invocations appear. 

With all that in place it is time to play with a few vulnerabilities, before we do set up a new account by visiting the account icon on the top right of the Juice App. 

Get a free Delux Membership

This one can be a little fiddly, but it does work although I was unable to find the edit and resend option within Chrome’s networking dev tools tab. 

Navigate to the upgrade page at http://localhost:3000/#/payment/deluxe and have a look at the various payment options presented for account enhancement. Upon inspecting element on the “pay using wallet” option, and you’ll find the pay button is disabled by default, indicated by a disabled="true" attribute within the view source element. Manually remove this attribute by editing the HTML, which will then make the button active. Click the button a few times to trigger a POST request observable within the Network tab of the developer tools and inspect the body. 

This request interestingly carries a single parameter in its payload, labeled “paymentMode” and set to “wallet”, which when processed, results in an error due to insufficient funds. The twist comes with the ability to “edit and resend” this request, a feature readily available by right-clicking on the request entry. Completely remove the body payload from the request, making it an empty string, and then resend the request which will bypass the system’s checks, leaving the application unable to determine the source of funds for the deduction, effectively allowing the upgrade without drawing from the wallet.

Resending the modified body payload will then show on lumigo as succeeded after the initial failure, because of the nulled body payload this will be easily noticed as you’ll see an empty POST request being sent with a “success” response after a 400 invocation.  

Place an Order that makes you Rich

This next one is even more interesting because it allows a user to be able to add a negative product quantity and receive credit back on a checkout which ultimately means … free fake app money! 

Start by heading to the main home page of the app, while signed in, and adding a product to your cart. View your cart and do a right click and inspect element, then head to the network tab and change the qty of any product in the cart. Youll notice some PUT requests arrive into the network tab, like before right click and select edit and resend. Edit the payload body to change the QTY to a negative number and then click send. 

This will also show up as an invocation within your lumigo instance, displaying the weird qty amount as part of a body payload on the /api/basketitems/:id route. 

Continue through the checkout process until you reach the final payment step, this should show as having a negative amount based on the QTY and cost of the product added. 

See What Demo Vuln Fun You Can Have

Here are the answers to the many OWASP Juice Shop attack vector riddles, which can be tested to see what trace data looks like when traced with Lumigo. OpenTelemetry helps change the approach to understanding complex systems, which Lumigo then further amplifies with its ability to see the full body payloads, enabling a clearer understanding of an application’s inner workings. 

Sign up for lumigo now and get access to see the full picture of your deployments.