Cybersecurity

Black Hat USA 2025 | Detecting Taint-Style Vulnerabilities in Microservice-Structured Web Apps

Black Hat
Black HatMar 8, 2026

Why It Matters

Cross‑service taint vulnerabilities can silently compromise modern applications; MCAN’s approach provides a scalable, precise solution that dramatically improves detection over existing static analysis tools.

Key Takeaways

  • Microservice gateways obscure true public API entry points.
  • Taint-style vulnerabilities span multiple services, evading single-service tools.
  • MCAN uses LLMs to identify reachable APIs from gateway configs.
  • Service dependence graph and distance‑guided analysis improve precision and scalability.
  • MCAN uncovered 59 zero‑day bugs, outperforming CodeQL significantly.

Summary

The Black Hat USA 2025 talk introduced MCAN, a novel framework for detecting taint‑style vulnerabilities in microservice‑structured web applications. The presenters highlighted how modern architectures replace monoliths with independent services behind a gateway, creating new attack surfaces where malicious input can traverse multiple components before reaching sensitive operations.

Key challenges identified include correctly identifying which APIs are truly exposed by dynamic gateway rules, tracking data as it moves across heterogeneous communication mechanisms (REST, gRPC, Kafka, etc.), and handling the extremely long call chains that can cause traditional static analysis to run out of memory. MCAN addresses these issues by leveraging large language models to parse gateway configurations and pinpoint reachable endpoints, constructing a service dependence graph to model inter‑service data flows, and applying a distance‑guided context‑sensitive analysis that deepens scrutiny only near vulnerable sinks.

The researchers demonstrated MCAN’s effectiveness with real‑world case studies, such as a Spring Cloud Data Flow pipeline where unvalidated input propagated through several services to a file‑write operation, and an IoT platform where a cross‑service SQL injection was uncovered. In an evaluation of 30 open‑source and industrial microservice applications, MCAN discovered 59 previously unknown zero‑day vulnerabilities with a 72% precision rate, far surpassing CodeQL’s 23 findings and sub‑40% precision. An ablation study confirmed that each component—entry‑point identification, the dependence graph, and the distance‑guided strategy—is essential for both accuracy and scalability.

The findings underscore the necessity for security tools that understand the full microservice ecosystem rather than isolated services. By integrating LLM‑driven configuration analysis with scalable data‑flow modeling, MCAN offers a practical path for enterprises to mitigate complex, cross‑service threats that traditional scanners miss.

Original Description

Microservice architecture has become increasingly popular for building scalable and maintainable applications. A microservice-structured web application (shortened to microservice application) enhances security by providing a loose-coupling design and enforcing the security isolation between different microservices. However, in this paper, our study shows microservice applications still suffer from taint-style vulnerability, one of the most serious vulnerabilities (e.g., code injection and arbitrary file write). We propose a novel security analysis approach, named MTD, that can effectively detect taint-style vulnerabilities in real-world, evolving-fast microservice applications. Our approach mainly consists of three phases. First, MTD identifies the entry points accessible to external malicious users by applying a gateway-centric analysis. Second, MTD utilizes a new data structure, i.e., service dependence graph, to bridge inter-service communication. Finally, MTD employs a distance-guided strategy for selective context-sensitive taint analysis to detect vulnerabilities.
To validate the effectiveness of MTD, we applied it to 25 open-source microservice applications (each with over 1,000 stars on GitHub) and 5 industrial microservice applications from a world-leading fintech company, i.e., Alibaba Group. We found that MTD effectively vetted these applications, discovering 59 high-risk zero-day vulnerabilities. Among these, vulnerabilities in open-source applications resulted in the allocation of 31 CVE identifiers, including CVE-2024-22263 in the Spring Projects, which has a CVSS score of 9.8. In the industrial microservice applications, we discovered 20 vulnerabilities, including groovy code injection and arbitrary command execution. These vulnerabilities could compromise the entire web server, severely affecting the integrity of millions of users' private data and the security of company systems. MTD effectively detected these high-value vulnerabilities (worth $50,000 in bounties) and successfully safeguarded enterprise security.
By:
Fengyu Liu | Ph.D Student, Fudan University
YouKun Shi | Postdoctoral Researcher, Hong Kong Polytechnic University
Tian Chen | Master's Student, Fudan University
Bocheng Xiang | Fudan University
Junyao He | Senior Security Engineer, Alibaba Group
Qi Li | Senior Security Engineer, Alibaba Group
Guangliang Yang | Assistant Professor, Fudan University
Yuan Zhang | Professor, Fudan University
Min Yang | Professor, Fudan University
Presentation Materials Available at:

Comments

Want to join the conversation?

Loading comments...