Security Bloggers Network 

Hacking a Serverless Application (Demo)

by Ory Segal, PureSec CTO on September 7, 2018

In order to demonstrate the security risks and implications of an insecure serverless application, we created an AWS Lambda application, which contains a vulnerability, and on top of that, we applied an over-permissive AWS IAM role to the function. The two security issues can be exploited in order to exfiltrate sensitive corporate data.

Vulnerable Serverless Application Architecture

Description of the serverless application:

  • This is an HR application for filtering candidate CVs
  • The application was developed in Python
  • It uses the following AWS cloud services:
    • AWS SES
    • AWS SNS
    • AWS Lambda
    • DynamoDB
    • S3 / CloudFront (used for the internal HR web interface)
  • The normal flow of the application:
    • Candidate sends a CV in PDF file format to the HR email address
    • AWS SES receives the email with the attachment
    • SES creates an SNS message containing the email and the attachment
    • SNS invokes the Lambda function
    • Lambda function calls a CLI executable to transform PDF to text <– remote code execution is possible through the PDF filename field in the SNS event data that triggers the Lambda function
    • Text is stored in a DynamoDB table for analysis (automatic check for candidate qualification)
    • A receipt email is sent back to the candidate 

The two security risks in this application are:

  1. Function event-data injection (allowing remote code execution): insecure usage of the PDF filename (a field in the SNS event which triggers the AWS Lambda function) during the call to the PDF-to-text CLI executable
  2. Over-privileged IAM role is assigned to the function: instead of limiting the function to only DynamoDB:PutItem, the function is granted DynamoDB:* . This eventually enables the attacker to use the DynamoDB:Scan action and exfiltrate data

The movie starts by demonstrating legitimate usage of the application, and then the entire process of attacking the serverless application, from the initial probing for a vulnerability, through the reconnaissance phase, and ending with data exfiltration. 

*** This is a Security Bloggers Network syndicated blog from PureSec Blog (Launch) authored by Ory Segal, PureSec CTO. Read the original post at: https://www.puresec.io/blog/demo-hacking-a-serverless-application

Ory Segal, PureSec CTO ,