Feature Flag Misconfiguration Vulnerabilities in Microservices Penetration Testing: Analysis, Impact, and Remediation

Ahmad Hussein Al Omari; Ahmad Alshanty

doi:10.48084/etasr.15014

Authors

Ahmad Hussein Al Omari Cyber Security Department, Faculty of Science and Information Technology, Al-Zaytoonah University of Jordan, Jordan https://orcid.org/0000-0001-7851-6582
Ahmad Alshanty Cyber Security Department, Faculty of Science and Information Technology, Al-Zaytoonah University of Jordan, Jordan

Volume: 16 | Issue: 1 | Pages: 30781-30786 | February 2026 | https://doi.org/10.48084/etasr.15014

Received: 22 September 2025 | Revised: 20 October 2025, 30 October 2025, and 3 November 2025 | Accepted: 4 November 2025 | Online: 9 February 2026

Corresponding author: Ahmad Hussein Al Omari

Abstract

This study examines the security implications of the adoption of Feature Flags (FFs) within microservice-based software development methodologies. FFs enable developers to activate or deactivate application functionality without redeploying code, thus accelerating service delivery and adoption. However, this approach introduces significant security risks, as misconfigured or poorly managed FFs can create novel vulnerabilities that attackers may exploit, such as bypassing critical security controls. To investigate these risks, a penetration testing analysis was conducted in a production-grade financial microservices environment, focusing on authentication mechanisms, fraud detection systems, and API logging. The assessment identified four high-severity vulnerabilities: FF misconfiguration, overly permissive privileges, insecure storage of API tokens, and persistent backdoors through shadow flags. Severity evaluations using the Common Vulnerability Scoring System (CVSS) revealed scores ranging from 8.8 to 9.3, indicating critical impact. These vulnerabilities were found to facilitate unauthorized financial transactions, data exposure, and regulatory noncompliance. In response to these findings, this study proposes a mitigation framework designed to systematically address FF vulnerabilities. This framework integrates a structured taxonomy, root cause analysis, and targeted remediation strategies, including enhanced role-based access controls, secure token management protocols, and automated auditing mechanisms.

Keywords:

feature flags, microservices, penetration testing, vulnerability taxonomy, access control, API token management

Downloads

Download data is not yet available.

References

N. Nivedhaa, ''Software architecture evolution: Patterns, trends, and best practices,'' International Journal of Computer Sciences and Engineering (IJCSE), vol. 1, no. 2, pp. 1–14, Dec. 2024.

F. H. Khoso, A. Lakhan, A. A. Arain, M. A. Soomro, S. Z. Nizamani, and K. Kanwar, ''A Microservice-Based System for Industrial Internet of Things in Fog-Cloud Assisted Network,'' Engineering, Technology & Applied Science Research, vol. 11, no. 2, pp. 7029–7032, Apr. 2021. DOI: https://doi.org/10.48084/etasr.4077

D. Esther and E. Oliver, Feature Flags and Dynamic Configuration in Microservices. 2025.

S. S. Ega and V. Motamarri, ''Feature Flags and Configuration: Balancing Flexibility with Maintainability in Software Development,'' Journal Of Engineering And Computer Sciences, vol. 4, no. 8, pp. 751–760, Aug. 2025.

R. Mahdavi-Hezaveh, J. Dremann, and L. Williams, ''Software development with feature toggles: practices used by practitioners,'' Empirical Software Engineering, vol. 26, no. 1, Jan. 2021, Art. no. 1. DOI: https://doi.org/10.1007/s10664-020-09901-z

D. Bhatia, ''A Comprehensive Review on the Cyber Security Methods in Indian Organisation,'' International Journal of Advances in Soft Computing and its Applications, vol. 14, no. 1, pp. 103–124, Apr. 2022. DOI: https://doi.org/10.15849/IJASCA.220328.08

R. Khalil, M. Wedyan, R. Saadeh, and R. Alturki, "A New Approach of Virtual Reality Systems Evaluation and Quality Standards," International Journal of Advances in Soft Computing and its Applications, vol. 16, no. 3, pp. 252–271, Nov. 2024. DOI: https://doi.org/10.15849/IJASCA.241130.14

R. Vallabhaneni and V. Veeramachaneni, "Understanding Penetration Testing for Evaluating Vulnerabilities and Enhancing Cyber Security," Engineering and Technology Journal, vol. 09, no. 10, Oct. 2024. DOI: https://doi.org/10.47191/etj/v9i10.12

S. Hamid, N. Z. Bawany, and S. Khan, ''AcSIS: Authentication System Based on Image Splicing,'' Engineering, Technology & Applied Science Research, vol. 9, no. 5, pp. 4808–4812, Oct. 2019. DOI: https://doi.org/10.48084/etasr.3060

M. T. Rahman, L. P. Querel, P. C. Rigby, and B. Adams, ''Feature toggles: practitioner practices and a case study,'' in Proceedings of the 13th International Conference on Mining Software Repositories, Austin, TX, USA, Feb. 2016, pp. 201–211. DOI: https://doi.org/10.1145/2901739.2901745

N. Dragoni et al., ''Microservices: Yesterday, Today, and Tomorrow,'' in Present and Ulterior Software Engineering, M. Mazzara and B. Meyer, Eds. Springer International Publishing, 2017, pp. 195–216. DOI: https://doi.org/10.1007/978-3-319-67425-4_12

N. Alshuqayran, N. Ali, and R. Evans, ''A Systematic Mapping Study in Microservice Architecture,'' in 2016 IEEE 9th International Conference on Service-Oriented Computing and Applications (SOCA), Macau, China Aug. 2016, pp. 44–51. DOI: https://doi.org/10.1109/SOCA.2016.15

R. K. Jayalath, H. Ahmad, D. Goel, M. S. Syed, and F. Ullah, ''Microservice Vulnerability Analysis: A Literature Review With Empirical Insights,'' IEEE Access, vol. 12, pp. 155168–155204, 2024. DOI: https://doi.org/10.1109/ACCESS.2024.3481374

A. R. Sinha, ''Unified System Design: A Comprehensive Study on Scalability, Access Control, and Communication Protocols,'' IJSAT - International Journal on Science and Technology, vol. 15, no. 2, May 2024. DOI: https://doi.org/10.71097/IJSAT.v15.i2.2845

F. Ponce, J. Soldani, H. Astudillo, and A. Brogi, ''Smells and refactorings for microservices security: A multivocal literature review,'' Journal of Systems and Software, vol. 192, Oct. 2022, Art. no. 111393. DOI: https://doi.org/10.1016/j.jss.2022.111393

G. Dell’Immagine, J. Soldani, and A. Brogi, ''KubeHound: Detecting Microservices’ Security Smells in Kubernetes Deployments,'' Future Internet, vol. 15, no. 7, July 2023, Art. no. 228. DOI: https://doi.org/10.3390/fi15070228

J. Edwards, ''Vulnerability Assessment and Penetration Testing,'' in Mastering Cybersecurity: Strategies, Technologies, and Best Practices, J. Edwards, Ed. Berkeley, CA, USA: Apress, 2024, pp. 371–412. DOI: https://doi.org/10.1007/979-8-8688-0297-3_11

B. Ünver and R. Britto, "Automatic Detection of Security Deficiencies and Refactoring Advises for Microservices," in 2023 IEEE/ACM International Conference on Software and System Processes (ICSSP), Melbourne, Australia, May 2023, pp. 25–34. DOI: https://doi.org/10.1109/ICSSP59042.2023.00013

M. Mangla, "Securing CI/CD Pipeline: Automating the detection of misconfigurations and integrating security tools," M.S. thesis, National College of Ireland, 2023.

P. Jamshidi, C. Pahl, N. C. Mendonça, J. Lewis, and S. Tilkov, ''Microservices: The Journey So Far and Challenges Ahead,'' IEEE Software, vol. 35, no. 3, pp. 24–35, Feb. 2018. DOI: https://doi.org/10.1109/MS.2018.2141039

"CVSS v3.1 Specification Document." https://www.first.org/cvss/v3-1/specification-document.