Hacking a Serverless Application (Demo)

In order to demonstrate the security risks and implications of an insecure serverless application, we created an AWS Lambda application, which contains a vulnerability, and on top of that, we applied an over-permissive AWS IAM role to the function. The two security issues can be exploited in order to exfiltrate sensitive corporate data.

Vulnerable Serverless Application Architecture

Description of the serverless application:

  • This is an HR application for filtering candidate CVs
  • The application was developed in Python
  • It uses the following AWS cloud services:
    • AWS SES
    • AWS SNS
    • AWS Lambda
    • DynamoDB
    • S3 / CloudFront (used for the internal HR web interface)
  • The normal flow of the application:
    • Candidate sends a CV in PDF file format to the HR email address
    • AWS SES receives the email with the attachment
    • SES creates an SNS message containing the email and the attachment
    • SNS invokes the Lambda function
    • Lambda function calls a CLI executable to transform PDF to text <– remote code execution is possible through the PDF filename field in the SNS event data that triggers the Lambda function
    • Text is stored in a DynamoDB table for analysis (automatic check for candidate qualification)
    • A receipt email is sent back to the candidate 

The two security risks in this application are:

  1. Function event-data injection (allowing remote code execution): insecure usage of the PDF filename (a field in the SNS event which triggers the AWS Lambda function) during the call to the PDF-to-text CLI executable
  2. Over-privileged IAM role is assigned to the function: instead of limiting the function to only DynamoDB:PutItem, the function is granted DynamoDB:* . This eventually enables the attacker to use the DynamoDB:Scan action and exfiltrate data

The movie starts by demonstrating legitimate usage of the application, and then the entire process of attacking the serverless application, from the initial probing for a vulnerability, through the reconnaissance phase, and ending with data exfiltration. 

*** This is a Security Bloggers Network syndicated blog from PureSec Blog (Launch) authored by Ory Segal, PureSec CTO. Read the original post at: