🛠 Hacktrick for Application Security
Salute,
Today I want to share with you a very voluminous material that will fly in (like children to school) for your upgrading and understanding of the deep principles of security - from the socket and TLS to namespaces, cgroups and kernel security profiles, etc. Material with descriptions and details of how to break and how to counteract using real escalation techniques, and not just best practices from manuals.
What is important for you to take right away?
• The Pentesting Methodology section describes the entire test cycle: from asset collection and scanning to operation and post-exploitation, with specific commands and tools
• For Windows and Linux there are local privilege checklists: what to look for in services, rights, registry, drivers, file system to quickly find the point of escalation
• A separate section on Docker Security: how to properly configure the engine, what flags and security options to use, how to work with a socket, capabilities, seccomp/AppArmor
• There are practical pages on Docker breakout / privilege escalation - scenarios when you have access to a container or docker.sock, and step by step you turn it into root on the host through mounts, privileged containers, etc.
• For AWS/ GCP/ Azure there are separate guides on listing resources, finding misconfigs, vulnerable policies and typical attack scenarios in the cloud
• AWS Red Team Expert / GCP Red Team Expert format training
• A large part is devoted to the specifics of individual technologies: AD, SQL, web frameworks, cryptoprimitives
That is, HackTricks itself gives not a theoretical, but an operational picture of attacking thinking: “what commands do I run, what exactly do I check, what do I do next if I found X.”
From this it is convenient to collect your checklists for reviewing infrastructure: Docker, Windows, clouds, etc. - you literally adapt it to suit yourself.
Look, here is an example of such a checklist under the Docker Security Checklist (noted)
**Purpose:** quickly check if your Docker host is an easy target
---
## Docker Engine and daemon
- Do not show `docker.sock` - only HTTPS + client certificates
- Do not raise `-H tcp://0.0.0.0:2375` without TLS
- Enable rootless mode and update Docker/host to the latest patches
***
## Images and registry
- Use only official or your own base images, do not inherit from random `user/some-ubuntu-with-magic`
- If possible, use **COPY instead of ADD** in Dockerfile to avoid pulling external URLs and unpacking archives
- Set up regular image rebuilding to pull security patches
- Enable image scanning (docker scan / Trivy / Grype) - in CI and scheduled according to the registry
***
## Secrets and configs
- Do not put tokens/keys in the image or ENV, use orchestrator secrets (docker secrets/ k8s secrets/ vault)
- Check saved images/layers for secrets (git‑history, tar layers inside image)
***
## Runtime restrictions
- Limit container resources (CPU, RAM, IO) via cgroups
- Configure seccomp/ AppArmor/ SELinux profiles, narrowing available syscalls and operations to a minimum
***
## Capabilities
- Don't use `--privileged` in production: it gives the container almost full kernel rights and greatly simplifies escape
- Basic approach: `--cap-drop=ALL` and then selectively `--cap-add` only those capabilities without which the service does not work (for example, `NET_BIND_SERVICE` for ports 80/443)
> Capabilities allow you to give the container only the necessary kernel capabilities instead of “full root”; the fewer there are, the more difficult it is for an attacker to escape from the container
#appsec #devsecops #course #specialty #containersecurity #mast #dast