SlideShare a Scribd company logo

An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec California 2019

Abhay Bhargav
Abhay Bhargav

Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Organizations are investing a great deal of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a a wide variety of attack possibilities, ranging from attacks against access control tech like Function Event Injection, JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud component. On the other hand GraphQL (API Query Language) is the natural companion to serverless apps, where traditional REST APIs are replaced with GraphQL to provide greater flexibility, greater query parameterization and speed. GraphQL is slowly negating the need for REST APIs from being developed. Combined with Serverless tech/Reactive Front-end frameworks, GraphQL is very powerful for distributed apps. However, GraphQL can be abused with a variety of attacks including but not limited to Injection Attacks, Nested Resource Exhaustion attacks, Authorization Flaws among others. This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Serverless and GraphQL applications.

Technology
1 of 100
Download to read offline
An Attacker’s View of Serverless and GraphQL Abhay Bhargav - we45 Copyright - we45, 2019 abhaybhargav
abhaybhargav Yours Truly • Founder @ we45 • Chief Architect - Orchestron • Avid Pythonista and AppSec Automation Junkie • Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide Copyright - we45, 2019
abhaybhargav Copyright - we45, 2018
abhaybhargav Get ready! Copyright - we45, 2018
abhaybhargav Get ready! Copyright - we45, 2018
abhaybhargav Get ready! Copyright - we45, 2018
abhaybhargav Today’s Session • A Gentle Introduction to Serverless (FaaS) and GraphQL • Attacker’s view of FaaS • Attacker’s View of GraphQL • Demos • FIN Copyright - we45, 2018
abhaybhargav As always, I pray to the demo gods! Copyright - we45, 2018
abhaybhargav Serverless (FaaS)
abhaybhargav Moving FaaSter! Copyright - we45, 2018 Monolith Microservice Function
abhaybhargav What is FaaS? Copyright - we45, 2018
abhaybhargav What is FaaS? • Functions that are triggered via events => Triggering a Container/VM Copyright - we45, 2018
abhaybhargav What is FaaS? • Functions that are triggered via events => Triggering a Container/VM • Execute (thing) Copyright - we45, 2018
abhaybhargav What is FaaS? • Functions that are triggered via events => Triggering a Container/VM • Execute (thing) • The container/VM freezes post execution and kills Copyright - we45, 2018
abhaybhargav What is FaaS? • Functions that are triggered via events => Triggering a Container/VM • Execute (thing) • The container/VM freezes post execution and kills • Repeat Copyright - we45, 2018
abhaybhargav Summary Copyright - we45, 2018 Function •Short lived •No ports •No state •Single purpose
abhaybhargav Events Copyright - we45, 2018
abhaybhargav Lifecycle Copyright - we45, 2018 Containers/MicroVMs are “thawed” when they are invoked again Additional Containers/MicroVMs are spawned based on concurrent invocations Function is invoked launching a container to run. Destroyed after. Deploy into Lambda with zip file
abhaybhargav customary FaaS Demo…
abhaybhargav GraphQL
What is GraphQL? • API Query Language => instead of REST API • (Usually) single endpoint to query and insert (mutate) data for the API • Query/Mutate exactly what you want • Multiple Resources in a Single Request • PubSub Functionality for Realtime Data
REST vs GraphQL
REST vs GraphQL re_path(r'^media/(?P<path>.*)$', MediaServeView.as_view()), re_path(r'^api/user/password/change/(?P<email>.*)/$', UserUtilityView.as_view({'post':'change_password'})), re_path(r'^api/user/token/', obtain_jwt_token), re_path(r'^api/user/profile/', UserProfileView.as_view()), re_path(r'^api/users/list/$', UserListView.as_view({'get':'list'}),name='user_list'), re_path(r'^api/organizations/list/$', OrganizationListView.as_view({'get':'list'}),name='org_list'), re_path(r'^api/projects/list/$', ProjectListView.as_view({'get':'list'}),name='pro_list'), re_path(r'^api/applications/list/$', ApplicationListView.as_view({'get':'list'}),name='app_list'), re_path(r'^api/users/$', UserView.as_view({'get':'list','put':'create'}),name='user'), re_path(r'^api/users/(?P<pk>d+)/$', UserView.as_view({'get':'retrieve','post':'update','delete':'destroy'}),name='ind_user'), re_path(r'^api/tools/$', OptionsListView.as_view({'get':'tools'}),name='tools'), re_path(r'^api/hosttypes/$', OptionsListView.as_view({'get':'hosttypes'}),name='hosttypes'), re_path(r'^api/platforms/$', OptionsListView.as_view({'get':'platforms'}),name='platforms'), re_path(r'^api/permissions/$', OptionsListView.as_view({'get':'permissions'}),name='permissions'),
GraphQL const app = express(); const PORT = 3000; app.use('/graphql', graphlHTTP({ schema: schema, graphiql: true, }));
GraphQL
GraphQL Architecture Source: Apollo Server
GraphQL Terminology •Schemas and Types: •Define Object Types and Fields (Objects and Attributes •Queries => Select Statements •Mutations => Insert/Update Statements •Scalar => Custom Data Types •Resolver => Function that translates the type system to DB queries
abhaybhargav customary GraphQL Demo…
abhaybhargav Why Serverless AND GraphQL?
abhaybhargav
abhaybhargav
abhaybhargav
abhaybhargav
abhaybhargav
abhaybhargav
abhaybhargav
abhaybhargav
abhaybhargav
abhaybhargav Super-easy to deploy service: gql-sql-injection package: exclude: - node_modules - package-lock.json provider: name: aws runtime: nodejs8.10 timeout: 30 functions: graphql: handler: app.handler timeout: 30 events: - http: path: graphql method: post cors: false
abhaybhargav Security Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface • Observability/Debugging is a challenge • Events from Multiple Sources • Highly disciplined approach to Architecture Copyright - we45, 2018
abhaybhargav reading between the lines….
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface • Observability/Debugging is a challenge • Highly disciplined approach to Architecture Copyright - we45, 2018
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface • Observability/Debugging is a challenge • Highly disciplined approach to Architecture Copyright - we45, 2018 •No Batteries included Security Features (Frameworks)
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface • Observability/Debugging is a challenge • Highly disciplined approach to Architecture Copyright - we45, 2018 •No Batteries included Security Features (Frameworks) •DIY Validation
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface • Observability/Debugging is a challenge • Highly disciplined approach to Architecture Copyright - we45, 2018 •No Batteries included Security Features (Frameworks) •DIY Validation •Access Control per Function
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface • Observability/Debugging is a challenge • Highly disciplined approach to Architecture Copyright - we45, 2018 •No Batteries included Security Features (Frameworks) •DIY Validation •Access Control per Function •Logging Per Function
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface • Observability/Debugging is a challenge • Highly disciplined approach to Architecture Copyright - we45, 2018 •No Batteries included Security Features (Frameworks) •DIY Validation •Access Control per Function •Logging Per Function •and other things we don’t too too well…..
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface •Observability/Debugging is a challenge • Highly disciplined approach to Architecture Copyright - we45, 2018
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface •Observability/Debugging is a challenge • Highly disciplined approach to Architecture Copyright - we45, 2018 •Monitoring Attacks is a challenge unless you architect for it
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface •Observability/Debugging is a challenge • Highly disciplined approach to Architecture Copyright - we45, 2018 •Monitoring Attacks is a challenge unless you architect for it •Security Logging => FUHGEDDABOUDIT!
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface • Observability/Debugging is a challenge •Events from Multiple Sources Copyright - we45, 2018
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface • Observability/Debugging is a challenge •Events from Multiple Sources Copyright - we45, 2018 •Functions triggered from events like S3, SNS, SQS,etc
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface • Observability/Debugging is a challenge •Events from Multiple Sources Copyright - we45, 2018 •Functions triggered from events like S3, SNS, SQS,etc •Larger Attack Surface
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface • Observability/Debugging is a challenge •Events from Multiple Sources Copyright - we45, 2018 •Functions triggered from events like S3, SNS, SQS,etc •Larger Attack Surface •Traditional Security Controls - WAFs, etc may be ineffective
abhaybhargav Considerations - FaaS • No* Frameworks => Back to Plain ol’ platform code • No Network Attack Surface • Observability/Debugging is a challenge •Events from Multiple Sources Copyright - we45, 2018 •Functions triggered from events like S3, SNS, SQS,etc •Larger Attack Surface •Traditional Security Controls - WAFs, etc may be ineffective •DAST/Testing is hard to exec
abhaybhargav Useful Projects for Serverless Security Copyright - we45, 2018
abhaybhargav Attacker’s View of FaaS
abhaybhargav Routes to FaaS pwnage! • Attacking Function (and cloud provider) through non-API Gateway Events • Attacking Function (and Cloud Provider) through API (Web Services Attacks) • Identifying Vulnerabilities with IAM and Privileges => Elevation of Privs • Information Disclosure => Database Access, etc • Denial of Service Copyright - we45, 2018
abhaybhargav Function Data Event Injection
abhaybhargav What is Event Injection? • Injection Attacks triggered through Third party event notifications • Example: • File Uploaded to S3 • Message sent over Notification Service • Message received on Queue • DynamoDB Stream Events, • etc Copyright - we45, 2018
abhaybhargav Function Data Event Injection • Injection is back!! • Multiple Possibilities with Functions: • Insecure Deserialization • XXE • SQL Injection • NoSQL Injection • Server-Side Request Forgery • Template Injection
abhaybhargav Function Data Event Injection - Sources Command Injection SQL/NoSQL Injection Insecure Deserialization XXE
abhaybhargav Case Study User uploads XML laced with malware File Stores in Amazon S3 Notification triggers function Function reads uploaded file, XXE executes Attacker gains access
abhaybhargav Demo
abhaybhargav Challenges - Function Data Event Injection • Hard to test for => Execution is largely Out-of-Band • Hard to Protect with WAFs (other Network Security) => Several non-HTTP Protocols can be used to trigger this • Wide variety of execution scenarios
abhaybhargav Privilege Escalation - IAM Misconfiguration
abhaybhargav IAM & Other Misconfigurations • Permissions are often the greatest bugbear in a FaaS implementation • Devs tend to provide overly permissive capabilities for resources that interact with FaaS implementations • Permissions are usually set in cloud IAM environments with Policies, Roles, etc • This includes misconfigurations like Public S3 buckets and access to all DynamoDB tables, etc
abhaybhargav Examples of IAM - Effect: Allow Action: - 'dynamodb:*' Resource: - 'arn:aws:dynamodb:us-east-1:****************:table/TABLE_NAME' Allows ALL actions on a DynamoDB Table - Effect: Allow Action: - dynamodb:PutItem Resource: 'arn:aws:dynamodb:us-east-1:****************:table/TABLE_NAME' Only PUT allowed on Table
abhaybhargav DynamoDB Injection client.scan(TableName = 'dynamo-user', Select = 'ALL_ATTRIBUTES', ScanFilter = { 'first_name': {"AttributeValueList": [{"S": "Joe"}], "ComparisonOperator": "EQ"} }) Standard “scan” with DynamoDBEQ|NE|IN|LE|LT|GE|GT|BETWEEN| NOT_NULL|NULL|CONTAINS| NOT_CONTAINS|BEGINS_WITH client.scan(TableName = 'dynamo-user', Select = 'ALL_ATTRIBUTES', ScanFilter = {'first_name': {"AttributeValueList": [{"S": "*"}], "ComparisonOperator": "GT"}}) Equivalent of ‘OR 1=1, Retrieves all values from the Table
abhaybhargav Demo
abhaybhargav Other Weaknesses • Authorization Weaknesses especially with JSON Web Tokens (JWTs) • Denial of Service Attacks based on Library weaknesses • Dynamic Testing is a major challenge for Serverless Functions • SAST/SCA becomes the way to go. But gets hard with multiple language implementations Copyright - we45, 2018
abhaybhargav Attacker’s view of GraphQL
abhaybhargav Security Considerations - GraphQL Copyright - we45, 2018
abhaybhargav Security Considerations - GraphQL • Access Control Copyright - we45, 2018
abhaybhargav Security Considerations - GraphQL • Access Control • Input Validation Copyright - we45, 2018
abhaybhargav Security Considerations - GraphQL • Access Control • Input Validation • Query Whitelisting Copyright - we45, 2018
abhaybhargav Security Considerations - GraphQL • Access Control • Input Validation • Query Whitelisting • Rate Limiting Copyright - we45, 2018
abhaybhargav Security Considerations - GraphQL • Access Control • Input Validation • Query Whitelisting • Rate Limiting Copyright - we45, 2018 }
abhaybhargav Security Considerations - GraphQL • Access Control • Input Validation • Query Whitelisting • Rate Limiting Copyright - we45, 2018 }
abhaybhargav Attacker’s View of GraphQL Copyright - we45, 2018
abhaybhargav Attacker’s View of GraphQL • Similar set of flaws as you would see with any other Web App/Web Service Copyright - we45, 2018
abhaybhargav Attacker’s View of GraphQL • Similar set of flaws as you would see with any other Web App/Web Service • Authorization Flaws and Info Disclosure Flaws take center-stage Copyright - we45, 2018
abhaybhargav Attacker’s View of GraphQL • Similar set of flaws as you would see with any other Web App/Web Service • Authorization Flaws and Info Disclosure Flaws take center-stage • NoSQL Flaws might be big with GraphQL Apps Copyright - we45, 2018
abhaybhargav Attacker’s View of GraphQL • Similar set of flaws as you would see with any other Web App/Web Service • Authorization Flaws and Info Disclosure Flaws take center-stage • NoSQL Flaws might be big with GraphQL Apps • Make Denial-of-Service Great Again! Copyright - we45, 2018
abhaybhargav GraphQL Introspection (Information Disclosure)
abhaybhargav Introspection? Copyright - we45, 2018
abhaybhargav Introspection? Copyright - we45, 2018
abhaybhargav Introspection? Copyright - we45, 2018
abhaybhargav Introspection? Copyright - we45, 2018
abhaybhargav Authorization Bypass
abhaybhargav Anyone remember Mass Assignment? Copyright - we45, 2018
abhaybhargav Demo
abhaybhargav Injection
abhaybhargav Injection with GraphQL • Unlike REST (single query per function), GraphQL resolvers are written for a larger query space • With NoSQL databases, this could lead to injection (and probably RCE) if Dynamic Scripting is enabled (Mongo, Elasticsearch, etc) Copyright - we45, 2018
abhaybhargav Demo
abhaybhargav DoS
abhaybhargav Nested Queries - Resource Exhaustion • Nested Queries with Many to Many Fields can be easily scaled to “high cost” queries • When coupled with FaaS invocations, can really add up the costs Copyright - we45, 2018
abhaybhargav Demo Copyright - we45, 2018
abhaybhargav Conclusions • Serverless and GraphQL Stacks are going to be big moving forward • Developers need to largely DIY Implementations => Few Frameworks today! • Security Tooling => Needs to catch up a WHOLE LOT MORE! Copyright - we45, 2018
abhaybhargav Thanks! •Twitter: @abhaybhargav •Website and Blog: www.we45.com •Product: www.orchestron.io Copyright - we45, 2018

Recommended

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Owasp zap
Owasp zapOwasp zap
Owasp zappenetration Tester
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 

Recommended

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Owasp zap
Owasp zapOwasp zap
Owasp zappenetration Tester
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response StructureBhagyashreeGajera1
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring BootPurbarun Chakrabarti
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Spring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with ThymeleafSpring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with ThymeleafThymeleaf
 
Spring beans
Spring beansSpring beans
Spring beansRoman Dovgan
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveAbhay Bhargav
 
Meetup callback
Meetup callbackMeetup callback
Meetup callbackWayne Scarano
 

More Related Content

What's hot

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response StructureBhagyashreeGajera1
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Spring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with ThymeleafSpring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with ThymeleafThymeleaf
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 

What's hot (20)

Burp suite
Burp suiteBurp suite
Burp suite
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response Structure
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring Boot
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Spring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with ThymeleafSpring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
Spring I/O 2012: Natural Templating in Spring MVC with Thymeleaf
 
Spring beans
Spring beansSpring beans
Spring beans
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 

Similar to An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec California 2019

Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveAbhay Bhargav
 
Application Deployment at UC Riverside
Application Deployment at UC RiversideApplication Deployment at UC Riverside
Application Deployment at UC RiversideMichael Kennedy
 
GraphQL - The new "Lingua Franca" for API-Development
GraphQL - The new "Lingua Franca" for API-DevelopmentGraphQL - The new "Lingua Franca" for API-Development
GraphQL - The new "Lingua Franca" for API-Developmentjexp
 
Developing Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & PythonDeveloping Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & PythonSmartBear
 
JIRA 7 for Developers - Bartek Gatz Filip Rogaczewski Ian Grunert
JIRA 7 for Developers - Bartek Gatz Filip Rogaczewski Ian GrunertJIRA 7 for Developers - Bartek Gatz Filip Rogaczewski Ian Grunert
JIRA 7 for Developers - Bartek Gatz Filip Rogaczewski Ian GrunertAtlassian
 
Riak seattle-meetup-august
Riak seattle-meetup-augustRiak seattle-meetup-august
Riak seattle-meetup-augustpharkmillups
 
Kubernetes and AWS Lambda can play nicely together
Kubernetes and AWS Lambda can play nicely togetherKubernetes and AWS Lambda can play nicely together
Kubernetes and AWS Lambda can play nicely togetherEdward Wilde
 
GitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by ScalaGitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by Scalatakezoe
 
Your API on Steroids
Your API on Steroids Your API on Steroids
Your API on Steroids QAware GmbH
 
Lessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptxLessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptxapidays
 
drupal 7 amfserver presentation: integrating flash and drupal
drupal 7 amfserver presentation: integrating flash and drupaldrupal 7 amfserver presentation: integrating flash and drupal
drupal 7 amfserver presentation: integrating flash and drupalrolf vreijdenberger
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
Serverless <3 GraphQL | 2019 - Serverless Architecture Conference
Serverless <3 GraphQL | 2019 - Serverless Architecture ConferenceServerless <3 GraphQL | 2019 - Serverless Architecture Conference
Serverless <3 GraphQL | 2019 - Serverless Architecture ConferenceMarcia Villalba
 
aip-workshop1-dev-tutorial
aip-workshop1-dev-tutorialaip-workshop1-dev-tutorial
aip-workshop1-dev-tutorialMatthew Vaughn
 
Spark Hsinchu meetup
Spark Hsinchu meetupSpark Hsinchu meetup
Spark Hsinchu meetupYung-An He
 
"Easy and scalable serverless backend for your next mobile or web app", Arman...
"Easy and scalable serverless backend for your next mobile or web app", Arman..."Easy and scalable serverless backend for your next mobile or web app", Arman...
"Easy and scalable serverless backend for your next mobile or web app", Arman...Fwdays
 
Workshop "Building Modern Web Applications with Firebase (and Angular)", Arm...
Workshop "Building Modern Web Applications with Firebase (and Angular)", Arm...Workshop "Building Modern Web Applications with Firebase (and Angular)", Arm...
Workshop "Building Modern Web Applications with Firebase (and Angular)", Arm...Fwdays
 

Similar to An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec California 2019 (20)

Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec Perspective
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
 
Application Deployment at UC Riverside
Application Deployment at UC RiversideApplication Deployment at UC Riverside
Application Deployment at UC Riverside
 
REST APIs
REST APIsREST APIs
REST APIs
 
GraphQL - The new "Lingua Franca" for API-Development
GraphQL - The new "Lingua Franca" for API-DevelopmentGraphQL - The new "Lingua Franca" for API-Development
GraphQL - The new "Lingua Franca" for API-Development
 
Developing Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & PythonDeveloping Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & Python
 
JIRA 7 for Developers - Bartek Gatz Filip Rogaczewski Ian Grunert
JIRA 7 for Developers - Bartek Gatz Filip Rogaczewski Ian GrunertJIRA 7 for Developers - Bartek Gatz Filip Rogaczewski Ian Grunert
JIRA 7 for Developers - Bartek Gatz Filip Rogaczewski Ian Grunert
 
Riak seattle-meetup-august
Riak seattle-meetup-augustRiak seattle-meetup-august
Riak seattle-meetup-august
 
Kubernetes and AWS Lambda can play nicely together
Kubernetes and AWS Lambda can play nicely togetherKubernetes and AWS Lambda can play nicely together
Kubernetes and AWS Lambda can play nicely together
 
GitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by ScalaGitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by Scala
 
Your API on Steroids
Your API on Steroids Your API on Steroids
Your API on Steroids
 
API Conference 2021
API Conference 2021API Conference 2021
API Conference 2021
 
Lessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptxLessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptx
 
drupal 7 amfserver presentation: integrating flash and drupal
drupal 7 amfserver presentation: integrating flash and drupaldrupal 7 amfserver presentation: integrating flash and drupal
drupal 7 amfserver presentation: integrating flash and drupal
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Serverless <3 GraphQL | 2019 - Serverless Architecture Conference
Serverless <3 GraphQL | 2019 - Serverless Architecture ConferenceServerless <3 GraphQL | 2019 - Serverless Architecture Conference
Serverless <3 GraphQL | 2019 - Serverless Architecture Conference
 
aip-workshop1-dev-tutorial
aip-workshop1-dev-tutorialaip-workshop1-dev-tutorial
aip-workshop1-dev-tutorial
 
Spark Hsinchu meetup
Spark Hsinchu meetupSpark Hsinchu meetup
Spark Hsinchu meetup
 
"Easy and scalable serverless backend for your next mobile or web app", Arman...
"Easy and scalable serverless backend for your next mobile or web app", Arman..."Easy and scalable serverless backend for your next mobile or web app", Arman...
"Easy and scalable serverless backend for your next mobile or web app", Arman...
 
Workshop "Building Modern Web Applications with Firebase (and Angular)", Arm...
Workshop "Building Modern Web Applications with Firebase (and Angular)", Arm...Workshop "Building Modern Web Applications with Firebase (and Angular)", Arm...
Workshop "Building Modern Web Applications with Firebase (and Angular)", Arm...
 

Recently uploaded

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec California 2019