WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting
WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting

Is Your Serverless App Secure?

In the last few months, I conducted multiple sessions on serverless security for serverless developers, DevOps folks and realized the wrong…

In the past few months, I’ve hosted several sessions on serverless security for serverless developers and DevOps folks. What I’ve realized during these sessions is that there are quite a few inaccurate assumptions that developers are making.

Most of the developers I interacted with **assumed that **their serverless applications are secure by default because:

  1. There is no managed server

  2. The Serverless App uses HTTPS

  3. The Serverless Provider takes care of security

Is that really true? Just because the application doesn’t use a managed server, means its secure?

The answer to this is — No. Serverless applications impose similar risks as traditional web applications. As there is no managed server, it minimizes vulnerability management/patching of managed server part but rest risks are applicable.

Let’s understand the attack scenarios with 4 practical examples:

[**Note: **All the below attacks are performed in the test AWS account. Do not set up vulnerable apps/setups in prod AWS accounts. Read more about AWS Pentesting best practices here.]

1. Information Gathering

The first step is knowing that the application you are accessing is serverless! While performing a pentest, check for default exceptions thrown by the application. In the below screenshot, you can see the default exception at **/var/task **which is a location for the lambda functions at the server-side.

Serverless1-3 Improper Exception Handling in Serverless App

Another example could be fuzzing endpoints through burp suite/proxy tool as below:

Serverless2-1 Improper Exception Handling in Serverless App

The above screenshots throw default exceptions and give us details about serverless / lambda service at server-side. Next step is exploiting it:

2. Reverse Engineering Lambda Function

The server-side code / Lambda function could be accessed from the end-user by exploiting the injection attacks at the application layer.

Below is one example of accessing Lambda Function from the end-user side:

Serverless3-1 Dumping Lambda Code using Command Injection Vulnerability in Serverless App

3. Broken Authentication

Have you ever found a lack of rate-limiting protection in a web application? If yes, then you might observe the same in a serverless application as well!

The below screenshot shows a successful brute force attack on a serverless app endpoint for credit card numbers:

Serverless4-1

4. Listing IAM Users / Compromising AWS Account

Using a command injection vulnerability, it’s also possible to dump environment variables as shown below:

Serveless5-1 Dumping Environment Variables in Serverless App

Once you get the Session Token, Secret Access Key, and Access Key, you can configure them in your system using ‘export’ command and then use **AWS CLI **(AWS Command Line Interface) to make AWS calls.

Now you can use #aws sts get-caller-identity to get role information. If roles are not properly defined or have extra permissions, then you can try out other commands like #aws iam list-users

Serverless6-1 Listing IAM Users

The demonstrated attacks above are just a high-level overview of serverless exploitation. There could be multiple attack vectors and entry points based on the type of application.

Conclusion

Just because it is a serverless application doesn’t mean that it is secure! If you take a look at **OWASP Serverless Top 10, **you will notice that all attacks applicable to traditional web applications are also applicable to the serverless apps.

So it's important to follow security best practices while developing a serverless application and make sure that your app is regularly reviewed by security teams.

Read more on this topic and see a real world example of how pentesting can support a cloud environment's security.

References

  1. OWASP ServerlessGoat

  2. A Damn Vulnerable Serverless Application

Back to Blog
About Cobalt
Cobalt combines talent and technology to provide end-to-end offensive security solutions that enable organizations to remediate risk across a dynamically changing attack surface. As the innovators of Pentest as a Service (PtaaS), Cobalt empowers businesses to optimize their existing resources, access an on-demand community of trusted security experts, expedite remediation cycles, and share real-time updates and progress with internal teams to mitigate future risk. More By Cobalt
Introduction to Serverless Vulnerabilities
Core Pentester Harsh Bothra introduces us to serverless vulnerabilities. He reviews the top 10 vulnerabilities and concludes with how to remediate them.
Blog
Nov 23, 2022