Professional Documents
Culture Documents
Serverless Security Attackers and Defenders
Serverless Security Attackers and Defenders
https://www.puresec.io/
About Me ( @orysegal )
HTTP/2 fingerprinting, SSHowDowN Proxy (IoT), JS Code-flow Founder & guitarist of the Israeli
Manipulation, HQL Tampering, Apache httpd RCE (CVE-2002-0061), Art-Rock band PITS
Apache OpenWhisk Mutability (CVE-2018-11756/7), Serverless Security
Top 10, CSA Serverless Security Top 12 - & contributed to HTTP Response
Splitting, HTTP Request Smuggling, MITRE CWE, SANS Top25, …
https://pits1.bandcamp.com/
Agenda
No servers to manage
Continuous scaling
Sub-second metering
CLOUD RESOURCES
INTERACTIONS
CLOUD
RESOURCES
REST API
(SOME)
SERVERLESS
EVENT-DATA
INJECTION ATTACK
EVENT SURFACES
SOURCES
Compromise data
INFRASTRUCTURE
L AY E R 7
INBOUND
OUTBOUND
NETWORK
B E H AV I O R AL
SERVERLESS
AP P L I C ATI O N EPP IPS WFUNCTIONS
SG NG-FW W AF
▪BatchGetItem
Functions should only be allowed to do GetShardIterator
what they are tasked with
BatchWriteItem ListStreams
▪CreateTable
AWS IAM model is extremely powerful, yet ListTables
hard to get right
DeleteItem
▪DeleteTable
Human factor QUICK QUIZ: ListTagsOfResource
PurchaseReservedCapacityOfferings
DescribeLimits Query
C O N F I GU RATI O N
NAME &issues
▪ ‘Over-privileged’ SPELL
are theTHE
most CORRECT IAM PERMISSION
common mistake in serverless applications
DescribeReservedCapacity Scan
DescribeReservedCapacityOfferings TagResource
https://ubm.io/2FIrKq2
DescribeStream UntagResource
DescribeTable UpdateItem
GetItem UpdateTable
GetRecords
Least-privileged IAM roles are like bulkheads. They will contain
attackers to a specific vulnerable function in case of a breach
PutItem
How We Hacked Lambdashell.com ( http://bit.ly/lambda-shell-hack )
Challenge accepted!
Get The Environment Variables
Impersonate The Lambda Function
I’m the smartest man
alive!
Fail Miserably – Strict IAM Permissions
We’re Doomed!
Maybe There’s An S3 Bucket Involved?
There’s Always An S3 Bucket!
List the Contents of the Bucket
Do I Have “WRITE” Permissions?
https://bit.ly/2S0jd7H
Corey Quinn ( @QuinnyPig )
<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>
@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>
x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a
>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<
>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<
a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x...
@QuinnyPig:
More App-DoS (ReDoS)
35
More App-DoS (ReDoS)
36
More App-DoS (ReDoS)
37
More App-DoS (ReDoS)
DEMO //
Candidate LAMBDA
results in DynamoDB
5. Function sends receipt to candidate
12 Most Critical Risks for Serverless (CSA) http://bit.ly/csa-top-12