Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Google Cloud Platform's (GCP) App Engine is a robust, serverless platform tailored for the development and hosting of web applications on a large scale. The design of this platform focuses on streamlining the development process and enhancing the manageability of applications. The key features and benefits of GCP's App Engine include:
Serverless Architecture: App Engine automatically handles the infrastructure, including server provisioning, configuration, and scaling. This allows developers to focus on writing code without worrying about the underlying hardware.
Automatic Scaling: App Engine can automatically scale your application in response to the amount of traffic it receives. It scales up to handle increased traffic and scales down when traffic decreases, helping optimize cost and performance.
Language and Runtime Support: It supports popular programming languages such as Java, Python, Node.js, Go, Ruby, PHP, and .NET. You can run your applications in a standard or a flexible environment. The standard environment is more restrictive but highly optimized for specific languages, while the flexible environment allows for more customization.
Integrated Services: App Engine integrates with many other GCP services, like Cloud SQL, Cloud Storage, Cloud Datastore, and more. This integration simplifies the architecture of cloud-based applications.
Versioning and Traffic Splitting: You can easily deploy multiple versions of your application and then split traffic among them for A/B testing or gradual rollouts.
Application Insights: App Engine provides built-in services such as logging, user authentication, and a suite of developer tools for monitoring and managing applications.
Security: It offers built-in security features like application versioning, SSL/TLS certificates for secure connections, and identity and access management.
A simple firewall can be configured for the instances running the Apps with the following options:
The default service account used by these Apps is <proj-name>@appspot.gserviceaccount.com which have Editor role over the project and the SAs inside APP Engine instance runs with cloud-platform scope (among others).
The source code and metadata is automatically stored in buckets with names such as <proj-id>.appspot.com and staging.<proj-id>.appspot.com and <country>.<proj-id>.appspot.com
Every file of the App is stored with the sha1 of the content as filename:
Inside the ae folder from staging.<proj-id>.appspot.com, one folder per version exist with the source code files and manifest.json file that describes the components of the App:
The web app will ultimately be executed inside a container and Code Build is used to build the container.
The default web page will be exposed in the URL <project-uniq-name>.appspot.com although the URL of older versions will be slightly different, like https://20240117t001540-dot-<project-uniq-name>.uc.r.appspot.com (note the initial timestamp).
It might look like it's only possible to deploy 1 app engine web application per region, but it's possible to indicate service: <servicename> in the app.yml and create a new service (a new web). The format of the URL for this new web will be <servicename>-dot-<project-uniq-name>.appspot.com.
Every time you uploads a new code to the App, a new version is created. All versions are stored and they even have an URL to access them. So modifying the code of an old version could be a great persistence technique.
As with Cloud Functions, there is a chance that the application will rely on secrets that are accessed at run-time via environment variables. These variables are stored in an app.yaml file which can be accessed as follows:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
