Hacking a Serverless Application (Demo)

In order to demonstrate the security risks and implications of an insecure serverless application, we created an AWS Lambda application, which contains a vulnerability, and on top of that, we applied an over-permissive AWS IAM role to the function. The two security issues can be exploited in order to exfiltrate sensitive corporate data.

Description of the serverless application:

• This is an HR application for filtering candidate CVs
• The application was developed in Python
• It uses the following AWS cloud services:
  • AWS SES
  • AWS SNS
  • AWS Lambda
  • DynamoDB
  • S3 / CloudFront (used for the internal HR web interface)
• The normal flow of the application:
  • Candidate sends a CV in PDF file format to the HR email address
  • AWS SES receives the email with the attachment
  • SES creates an SNS message containing the email and the attachment
  • SNS invokes the Lambda function
  • Lambda function calls a CLI executable to transform PDF to text <– remote code execution is possible through the PDF filename field in the SNS event data that triggers the Lambda function
  • Text is stored in a DynamoDB table for analysis (automatic check for candidate qualification)
  • A receipt email is sent back to the candidate 

The two security risks in this application are:

1. Function event-data injection (allowing remote code execution): insecure usage of the PDF filename (a field in the SNS event which triggers the AWS Lambda function) during the call to the PDF-to-text CLI executable
2. Over-privileged IAM role is assigned to the function: instead of limiting the function to only DynamoDB:PutItem, the function is granted DynamoDB:* . This eventually enables the attacker to use the DynamoDB:Scan action and exfiltrate data

The movie starts by demonstrating legitimate usage of the application, and then the entire process of attacking the serverless application, from the initial probing for a vulnerability, through the reconnaissance phase, and ending with data exfiltration.