Serverless attacks, exploits, architectures, and defenses. Presentation for RSA 2020. Serverless and cloud penetration testing. ~ Teri Radichel, CEO, 2nd Sight Lab

1. #RSAC
SESSION ID:
#RSAC
SESSION ID:
Teri Radichel
Serverless Attack Vectors
CSV-W09
CEO
2nd Sight Lab
@teriradichel

2. #RSAC#RSAC
Serverless is secure right?
Nothing to worry about.

3. #RSAC#RSAC
Why do breaches happen?
Mistakes happen.

4. #RSAC#RSAC
Functions are secure right?
Just like the blockchain (j/k).

5. #RSAC#RSAC
The evolution of serverless.
Not just functions.
Amazon Aurora
Azure Storage
Accounts
Google
Cloud Run
AWS Lambda
Amazon S3
bucket
AWS Fargate
AWS Serverless
Application Repository
Google Cloud
Functions

6. #RSAC#RSAC
Serverless architecture.
Connecting the dots.
AWS Lambda
Amazon CloudFront
AWS Lambda
Amazon DynamoDB
AWS Fargate
Amazon API Gateway
Amazon Simple Queue
Service

7. #RSAC#RSAC
Serverless under the hood.
The cloud provider.

8. #RSAC#RSAC
Questions for the CSP
People and technology

9. #RSAC#RSAC
AWS, Azure, Google
Biggest risk?

10. #RSAC#RSAC
What to worry about?
Look at recent breaches.

11. #RSAC#RSAC
The misconfigurations.
Why is this happening?

12. #RSAC#RSAC
What could go wrong?
Serverless still runs software.

13. #RSAC#RSAC
Serialization
Still exists in serverless.

14. #RSAC#RSAC
Function stack.
Secure your code.
YOUR
CODE
cloud
provider
A Cloud Function

15. #RSAC#RSAC
How will attackers get in?
The same way they always do.
Interpretation for Serverless

16. #RSAC#RSAC
For example: Injection
Code works the same in a function.
String query = "SELECT *
FROM accounts WHERE
custID='"
+ request.getParameter("id")
+ "'";
http://example.com/app/accou
ntView?id=' or '1'='1
String query = "SELECT *
FROM accounts WHERE
custID='"
+ ' or '1'='1 + "'";

17. #RSAC#RSAC
Another example
Auth injection – curl request
curl -vs --request PUT --url
'https://xxxxxxxxxxxxxxxx/Customer/%3Cscrip
t%3Ealert(%22X%20SS%22);%3C/script%3E' --
header 'authorization: Bearer
mV3ZWJzaiJS22kMajksXJYep0HbL1o1y1KyK2WBhMWM
4NDFiLTUwNWItNDgyMi1hMzQ3LWFlZDQ1NDMyYTM3MC
IsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1ODA3ODc0Mj
csImV4cCI6MTU4YOIOQUAeKYwiaXNzIjoiaHR0cH
M6Ly90ZXN02ZTIdGVycHJpc2Utc2VjdXJpdHktYX
V0aG9yaXphdGlvbnNlcnZpY2UtYXBpLnRlc3QtZT
ItZXh0ZXJuYWwtYXNlLnAuYXp1cmV3ZWJzaXRlcy
5uZXQiLCJhdWQiOlsiaHR0cHM6Ly90ZXN0LWUyLW
VudGVycHJpc2Utc2VjdXJpdHktYXV0aG9yaXphdG
lvbnNlcnZpY2UtYXBpLnRlc3QtZTItZXh0ZXJuYW
wtYXNlLnAuYXp1cmV3ZWJzaXRlcy5uZXQvcmVzb3
VyY2VzIiwiZGVmYXVsdCJdLCJjbGllbnRfaWQiOi
JTZWNvbmRTaWdodExhYi5QZW5UZXN0IiwicGVybW
lzc2lvbnMiOiIiLCJwZXh0ZXJuYWwtYXNlLnAuYX
p1cmV3ZWJA4YiIsImNsaWVudF9wYXJ0eV9tZW1iZ
XJfaWQiOiI2ZTI4N2ZTIiNjhmLTQ3ODUtODZjYi1
jODMzZDA1NWMwOGIiLCJzY29wZSI6WyJkZWZhdWx
0Il19.coFeQS3qID8uzdr6chr3qnglflFIfLMCi0l5
WMY6L22kMajksXJYep0HbL1o1y1KyK2WmDD7DgVQiHs
CmdbIi-FyN0LWUyK3-
JL6lTo0XjJAHTJ0MGVjdXJpdHktYXV0aG97_3FVGugq
8WdYIawaKoujd4N-3D06DirUlKKhYkA-
yGKGQmRm5vcT3WdXvChbieHa5ybSLUQ1oYP31X186NT
N8NUNxs7pAS6P4bLM771LCRMrzmqUI2B-43oYr-
dr6cDZlM5R1TaVPQv-hSAwh-ztsHPhLMJN8K-
y5UOIOQUAeKY96hV4_RXPL2VzIiwiZGVYXVsdCJdLCB
mXv0Q' --header 'x-correlation-id:
2slsightlabpentest’ 2>&1

18. #RSAC#RSAC
Another example
Auth injection – HTTP Request
PUT
/Customer/%3Cscript%3Ealert(%22X%20SS%22);%3C/s
cript%3E HTTP/2
Host: xxxxxxxxxxxxxxxx
User-Agent: curl/7.61.1
Accept: */*
authorization: Bearer
mV3ZWJzaiJS22kMajksXJYep0HbL1o1y1KyK2WBhMWM4NDF
iLTUwNWItNDgyMi1hMzQ3LWFlZDQ1NDMyYTM3MCIsInR5cC
I6IkpXVCJ9.eyJuYmYiOjE1ODA3ODc0MjcsImV4cCI6MTU4
YOIOQUAeKYwiaXNzIjoiaHR0cHM6Ly90ZXN02ZTIdGVycHJ
pc2Utc2VjdXJpdHktYXV0aG9yaXphdGlvbnNlcnZpY2UtYX
BpLnRlc3QtZTItZXh0ZXJuYWwtYXNlLnAuYXp1cmV3ZWJza
XRlcy5uZXQiLCJhdWQiOlsiaHR0cHM6Ly90ZXN0LWUyLWVu
dGVycHJpc2Utc2VjdXJpdHktYXV0aG9yaXphdGlvbnNlcnZ
pY2UtYXBpLnRlc3QtZTItZXh0ZXJuYWwtYXNlLnAuYXp1cm
V3ZWJzaXRlcy5uZXQvcmVzb3VyY2VzIiwiZGVmYXVsdCJdL
CJjbGllbnRfaWQiOiJTZWNvbmRTaWdodExhYi5QZW5UZXN0
IiwicGVybWlzc2lvbnMiOiIiLCJwZXh0ZXJuYWwtYXNlLnA
uYXp1cmV3ZWJA4YiIsImNsaWVudF9wYXJ0eV9tZW1iZXJfa
WQiOiI2ZTI4N2ZTIiNjhmLTQ3ODUtODZjYi1jODMzZDA1NW
MwOGIiLCJzY29wZSI6WyJkZWZhdWx0Il19.coFeQS3qID8u
zdr6chr3qnglflFIfLMCi0l5WMY6L22kMajksXJYep0HbL1
o1y1KyK2WmDD7DgVQiHsCmdbIi-FyN0LWUyK3-
JL6lTo0XjJAHTJ0MGVjdXJpdHktYXV0aG97_3FVGugq8WdY
IawaKoujd4N-3D06DirUlKKhYkA-
yGKGQmRm5vcT3WdXvChbieHa5ybSLUQ1oYP31X186NTN8NU
Nxs7pAS6P4bLM771LCRMrzmqUI2B-43oYr-
dr6cDZlM5R1TaVPQv-hSAwh-ztsHPhLMJN8K-
y5UOIOQUAeKY96hV4_RXPL2VzIiwiZGVYXVsdCJdLCBmXv0
Q x-correlation-id: 2slsightlabpentest
Content-Length: 988
Content-Type: application/x-www-form-urlencoded

19. #RSAC#RSAC
Another example
Auth injection – Problem #1
HTTP/2 403
date: Tue, 14 Feb 2020 03:37:43 GMT
content-type: application/json
content-length: 2244
x-amzn-requestid: xxxxxx
x-amzn-errortype: IncompleteSignatureException
x-amz-apigw-id: xxxxxx
{"message":"'mV3ZWJzaiJS22kMajksXJYep0HbL1o1y1KyK2WBhMWM4NDFiLTUw
NWItNDgyMi1hMzQ3LWFlZDQ1NDMyYTM3MCIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1
ODA3ODc0MjcsImV4cCI6MTU4YOIOQUAeKYwiaXNzIjoiaHR0cHM6Ly90ZXN02ZTId
GVycHJpc2Utc2VjdXJpdHktYXV0aG9yaXphdGlvbnNlcnZpY2UtYXBpLnRlc3QtZT
ItZXh0ZXJuYWwtYXNlLnAuYXp1cmV3ZWJzaXRlcy5uZXQiLCJhdWQiOlsiaHR0cHM
6Ly90ZXN0LWUyLWVudGVycHJpc2Utc2VjdXJpdHktYXV0aG9yaXphdGlvbnNlcnZp
Y2UtYXBpLnRlc3QtZTItZXh0ZXJuYWwtYXNlLnAuYXp1cmV3ZWJzaXRlcy5uZXQvc
mVzb3VyY2VzIiwiZGVmYXVsdCJdLCJjbGllbnRfaWQiOiJTZWNvbmRTaWdodExhYi
5QZW5UZXN0IiwicGVybWlzc2lvbnMiOiIiLCJwZXh0ZXJuYWwtYXNlLnAuYXp1cmV
3ZWJA4YiIsImNsaWVudF9wYXJ0eV9tZW1iZXJfaWQiOiI2ZTI4N2ZTIiNjhmLTQ3O
DUtODZjYi1jODMzZDA1NWMwOGIiLCJzY29wZSI6WyJkZWZhdWx0Il19.coFeQS3qI
D8uzdr6chr3qnglflFIfLMCi0l5WMY6L22kMajksXJYep0HbL1o1y1KyK2WmDD7Dg
VQiHsCmdbIi-FyN0LWUyK3-
JL6lTo0XjJAHTJ0MGVjdXJpdHktYXV0aG97_3FVGugq8WdYIawaKoujd4N-
3D06DirUlKKhYkA-
yGKGQmRm5vcT3WdXvChbieHa5ybSLUQ1oYP31X186NTN8NUNxs7pAS6P4bLM771LC
RMrzmqUI2B-43oYr-dr6cDZlM5R1TaVPQv-hSAwh-ztsHPhLMJN8K-
y5UOIOQUAeKY96hV4_RXPL2VzIiwiZGVYXVsdCJdLCBmXv0' not a valid
key=value pair (missing equal-sign) in Authorization header:
'Bearer
mV3ZWJzaiJS22kMajksXJYep0HbL1o1y1KyK2WBhMWM4NDFiLTUwNWItNDgyMi1hM
zQ3LWFlZDQ1NDMyYTM3MCIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1ODA3ODc0MjcsI
mV4cCI6MTU4YOIOQUAeKYwiaXNzIjoiaHR0cHM6Ly90ZXN02ZTIdGVycHJpc2Utc2
VjdXJpdHktYXV0aG9yaXphdGlvbnNlcnZpY2UtYXBpLnRlc3QtZTItZXh0ZXJuYWw
tYXNlLnAuYXp1cmV3ZWJzaXRlcy5uZXQiLCJhdWQiOlsiaHR0cHM6Ly90ZXN0LWUy
LWVudGVycHJpc2Utc2VjdXJpdHktYXV0aG9yaXphdGlvbnNlcnZpY2UtYXBpLnRlc
3QtZTItZXh0ZXJuYWwtYXNlLnAuYXp1cmV3ZWJzaXRlcy5uZXQvcmVzb3VyY2VzIi
wiZGVmYXVsdCJdLCJjbGllbnRfaWQiOiJTZWNvbmRTaWdodExhYi5QZW5UZXN0Iiw
icGVybWlzc2lvbnMiOiIiLCJwZXh0ZXJuYWwtYXNlLnAuYXp1cmV3ZWJA4YiIsImN
saWVudF9wYXJ0eV9tZW1iZXJfaWQiOiI2ZTI4N2ZTIiNjhmLTQ3ODUtODZjYi1jOD
MzZDA1NWMwOGIiLCJzY29wZSI6WyJkZWZhdWx0Il19.coFeQS3qID8uzdr6chr3qn
glflFIfLMCi0l5WMY6L22kMajksXJYep0HbL1o1y1KyK2WmDD7DgVQiHsCmdbIi-
FyN0LWUyK3-
JL6lTo0XjJAHTJ0MGVjdXJpdHktYXV0aG97_3FVGugq8WdYIawaKoujd4N-
3D06DirUlKKhYkA-
yGKGQmRm5vcT3WdXvChbieHa5ybSLUQ1oYP31X186NTN8NUNxs7pAS6P4bLM771LC
RMrzmqUI2B-43oYr-dr6cDZlM5R1TaVPQv-hSAwh-ztsHPhLMJN8K-
y5UOIOQUAeKY96hV4_RXPL2VzIiwiZGVYXVsdCJdLCBmXv0

20. #RSAC#RSAC
Another example
Auth injection - Problem #2

21. #RSAC#RSAC
Another example
Auth injection – Exploit.

22. #RSAC#RSAC
APIs
Fuzz all the things.

23. #RSAC#RSAC
Coverage
vs. stealth.

24. #RSAC#RSAC
All the rest
Every OWASP top 10 attack applies
OWASP Top 10
Injection
Broken Authentication
Sensitive Data Exposure
XXE
Broken Access Control
Security Misconfiguration
XSS
Insecure Deserialization
CVEs
Poor logging & monitoring

25. #RSAC#RSAC
MITRE AT&CK
For cloud.

26. #RSAC#RSAC
Persistence
How secure are your deployments?

27. #RSAC#RSAC
Infrastructure attack surface?
Everything your application uses.
IAM
Network
Storage
3rd-Party Code
Queues
API Gateway
CDN
DNS
cloud
provider

28. #RSAC#RSAC
IAM
SSRF, pivoting, escalation.

29. #RSAC#RSAC
Secrets in all the things
More places to hide.
Amazon S3
bucket
AWS CloudFormation

30. #RSAC#RSAC
Encryption
Doesn’t always save you.

31. #RSAC#RSAC
Network
What is exposed?

32. #RSAC#RSAC
3rd Party Code
Injection
Application

33. #RSAC#RSAC
Serverless Frameworks
Hosted data, insecure defaults, flaws

34. #RSAC#RSAC
API Gateway
Poor architecture and misconfigurations
Amazon
API Gateway

35. #RSAC#RSAC
CDN
Caches, unidentifiable traffic, bypass, CORS

36. #RSAC#RSAC
Lambda@Edge
Where are credentials cached?

37. #RSAC#RSAC
Authentication
What can you test?
Amazon
Cognito

38. #RSAC#RSAC
Databases
What happened to the DBAs?
SQL
NoSQL
Encryption
Transactions
Integrity
Reconciliation
Disaster Recovery
Network and IAM

39. #RSAC#RSAC
DNS
Subdomain takeover, packets, log issues
DOMAIN.3RDPARTY.COM
DOMAIN.COM
CNAME
DOMAIN.3RDPARTY.COM

40. #RSAC#RSAC
Deployment Systems
Who can deploy and how?

41. #RSAC#RSAC
Monitoring
Which service caused the error?

42. #RSAC#RSAC
Logs
Did you know there was an error?
AWS WAF
Amazon CloudFront
AWS Lambda
Amazon API Gateway
Amazon Route 53
Amazon VPC
AWS CloudTrail
Amazon Macie

43. #RSAC#RSAC
Threat Modeling
Thinking holistically about architecture.
Bucket
Website

44. #RSAC#RSAC
Demo
In action
Attack!

45. #RSAC#RSAC
Fix it
Architecture
 Threat modeling
 No replay attacks
 Limited Authorization
 Storage lifecycle
 Consider all paths
 Network access
 Segregation
 Defense in Depth

46. #RSAC#RSAC
Fix it
Deployment systems
 Automation
 Infrastructure as code
 Segregation of duties
 Deployment architecture
 Security checks
 Vulnerability scans
 Governance

47. #RSAC#RSAC
Fix it
Monitoring and Metrics
 Vulnerability scans
 Configuration tracking
 CIS Benchmarks
 DLP systems
 Data Lake / SIEM
 Incident response team
 Risk metrics

48. #RSAC#RSAC
Fix it
Train your decision makers.
 Network security
 Database integrity
 Application security
 Threat modeling
 Cloud configurations
 Cloud threats and breaches
 Application attacks

49. #RSAC#RSAC
In summary…
Serverless:
The same,
But different!

50. #RSAC#RSAC
Thank you!
Teri Radichel
@teriradichel
https://medium.com/cloud/security
https://2ndsightlab.com