Open raesene opened 1 year ago
Thanks for reporting! Is this really a problem, though? If I were an attacker, I'd likely go with a high timeout. If the returned token has a lower expiration, well I'll deal with it.
With that in mind, don't you think the current behavior represents what an attacker would do?
So I think the problem I was thinking of is that, at the moment we output Successfully created a long-lived token valid for 1 year:
after the run, even if the token generated is only valid for 48 hours.
We could just change the message to "successfully created a token" which would cover that case ok :)
Alternatively we could look at the validity of the returned token and print this
What is not working? The k8s.persistence.create-token attack will work on GKE and EKS but although it requests a token with a one year lifespan those providers are silently limiting the token to 48 and 24 hours respectively.
As an example after running the attack on a GKE 1.22 cluster, the following issued and expiry times are present on the token returned
which is a 48 hour expiry. Probably the best way to fix this is to decode the token returned and confirm that the token duration requested matched the issued token.
What OS are you using? Mac OS X
What is your Stratus Red Team version? 2.3.0