guarantee its security posture from malicious requests from the user application through supported Dapr endpoints: An application sending malicious requests to Dapr should not be able to compromise Daprs should not guarantee that the applicationʼs security remains uncompromised in the case of malicious requests from Dapr to the application - this is the responsibility of the application to ensure. For example is entirely the responsibility of the application; Dapr should not be prevented from sending such requests to the application. The same principle applies in the opposite direction: The application should

the Content-Type header should be verified and enforced to application/json which requires all requests to obey the CORS policies. By doing so, the attack cannot be launched from remote machines and the application (Medium) It was found that Dapr was not using any form of authentication when sending requests to the application. At the same time, attackers from one pod could bypass the Dapr API and related able to contact the application directly. Because Dapr does not support authentication when sending requests to the application, it cannot distinguish if the request originates from an authenticated Dapr session

made about it. 16: FuzzHTTPRegex Tests an exposed Regex that extracts parameters from incoming requests. 17: FuzzOnPostStateTransaction Tests the onPostStateTransaction() HTTP endpoint with a request GRPC endpoints related to state with requests containing a body specified by the fuzzer. 33: FuzzActorEndpoints Tests the GRPC endpoints related to actors with requests containing a body specified by the

isActionAllowed(action string) bool { return strings.EqualFold(action, AllowAccess) } PoC: The following HTTP requests demonstrate that accessing the /neworder API of nodeapp is prohibited by the configured access control