🛠️ Hacklet: Hardcoded Secrets in the Container
📋 Overview:
This hacklet showcases a critical security vulnerability in containerized applications where secrets, such as API keys, database credentials, or encryption keys, are hardcoded into the Dockerfile. Attackers can exploit this by inspecting the Docker image layers to extract sensitive information.
💥 Impact:
- Attackers can extract secrets (e.g., database passwords) by inspecting Docker image layers.
- Unauthorized access to services such as databases, APIs, or cloud services.
🔴 Vulnerability Description:
In Docker images, hardcoded secrets in the Dockerfile are stored in the image layers. These layers can be inspected by anyone with access to the image using the docker history command.
This vulnerability can result in unauthorized access to sensitive services.
⚔️ Exploit Example:
1️⃣ Insecure Dockerfile with Hardcoded Secret:
Here’s an insecure Dockerfile that hardcodes a database password using the ENV directive.
Dockerfile:
FROM python:3.9-slim
WORKDIR /app
# Copy application files
COPY . .
# ⚠ Hardcoded secret
ENV DB_PASSWORD="supersecretpassword"
# Install dependencies
RUN pip install -r requirements.txt
EXPOSE 5000
CMD ["python", "run.py"]2️⃣ Exploit the Vulnerability:
🔧 Steps to Exploit:
-
Build the Docker image:
docker-compose build -
Run the
docker historycommand to inspect the image layers:docker history messaging-app-web
✅ Expected Output:
When you run docker history, you’ll see the hardcoded secret exposed in one of the layers:
IMAGE CREATED CREATED BY SIZE COMMENT
<image-id> X minutes ago /bin/sh -c ENV DB_PASSWORD="supersecretpassword" 0B
...This proves that the DB_PASSWORD is exposed in the image and can be easily extracted.
🔐 Solution: How to Fix the Vulnerability
Here’s how to secure your Dockerfile and prevent this issue.
✅ 1. Remove Hardcoded Secrets:
Instead of hardcoding secrets, remove any sensitive values from the Dockerfile.
Updated Secure Dockerfile:
FROM python:3.9-slim
WORKDIR /app
# Copy application files
COPY . .
# Install dependencies
RUN pip install -r requirements.txt
EXPOSE 5000
CMD ["python", "run.py"]✅ 2. Pass Secrets as Environment Variables at Runtime:
You can securely pass secrets as environment variables at runtime when running the container.
Example:
docker run -e DB_PASSWORD="supersecretpassword" messaging-app-webThis way, the secret is never stored in the image layers and is only available at runtime.
✅ 3. Use Docker Secrets (Advanced Option):
For more secure secret management, you can use Docker secrets to manage sensitive information securely in a Swarm or Kubernetes environment.
🔎 Why This Hacklet Works:
| Reason | Description |
|---|---|
| Docker Layers Are Not Encrypted | Secrets in the Dockerfile are stored in plain text in the image layers. |
docker history Command |
This command reveals all layers, including any ENV variables set in the Dockerfile. |
💡 Mitigation Summary:
| Mitigation Step | Description |
|---|---|
| ✅ Remove Hardcoded Secrets | Ensure sensitive values are not hardcoded in the Dockerfile. |
| ✅ Pass Secrets at Runtime | Use -e flags to pass secrets at runtime when running the container. |
| ✅ Use Docker Secrets | Use a secure secret management solution like Docker secrets or Kubernetes secrets. |
📘 Example Commands for the Demo:
Here’s a quick demo script you can use to showcase the hacklet during your presentation:
# Step 1: Build the Docker image
docker-compose build
# Step 3: Inspect the Docker image layers
docker history messaging-app-web