Sharath Kumar Ramadas
Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Organizations are investing a great deal of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a wide variety of attack possibilities, ranging from attacks against access control tech like JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components.
On the other hand GraphQL (API Query Language) is the natural companion to serverless apps, where traditional REST APIs are replaced with GraphQL to provide greater flexibility, greater query parameterization and speed. GraphQL is slowly negating the need for REST APIs from being developed. Combined with Serverless tech/Reactive Front-end frameworks, GraphQL is very powerful for distributed apps. However, GraphQL can be abused with a variety of attacks including but not limited to Injection Attacks, Nested Resource Exhaustion attacks, Authorization Flaws among others.
This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Serverless and GraphQL applications. The author will release an intentionally vulnerable Serverless and GraphQL app at the end of the talk for the benefit of the audience and the security community at large.
5. Singapore | 28 Feb - 01 Mar 2019
Serverless
• Functions deployed as ephemeral
containers/vms
• Functions As A Service (FAAS)
• Event trigger architecture
• Supports major runtimes
• Python, NodeJS, C#, GO, Ruby
• Custom runtime also
8. Singapore | 28 Feb - 01 Mar 2019
Why Serverless?
• Pay per usage
• No server management
• Microservices Friendly
• Auto-Scalable
• Focus on code/features, don’t worry
about servers
14. Singapore | 28 Feb - 01 Mar 2019
An Attacker’s View
• Functions are still code
• No frameworks involved
• Functions as events increases attack surface
• Developers are new to servers
• Still needs configuration
15. Singapore | 28 Feb - 01 Mar 2019
Attackers are Snipers!
• Aimed
• Committed
• Patient
• Invisible
• Takes clear Shot
17. Singapore | 28 Feb - 01 Mar 2019
Extensive Privileged Functions
• Functions with extensive privileges lead to infrastructure compromise
• Cloud providers store secrets in plain text
• Misconfigured roles can lead to wide spectrum of attacks
• Events are most vulnerable due to lack of Authentication and
Authorization
• Pay per usage model turns out to be expensive.
20. Singapore | 28 Feb - 01 Mar 2019
Serverless Top 10
• Event data injection
• Broken Authentication
• Insecure deployment configuration
• Over privileged function permissions & roles
• Inadequate function monitoring and logging
• Insecure 3rd party dependencies
• Insecure application secrets storage
• DOS and Financial resource exhaustion
• Function Execution Flow Manipulation
• Improper Exception Handling and Verbose Error Messages
21. Singapore | 28 Feb - 01 Mar 2019
Serverless (Security) Best Practices
• Functions with minimal access credentials
• Remove insecure dependencies before production
• Run SAST scans before code commit
• Restrict memory usage for a function
• Encrypt the secrets avoid environment variables
• Use FAAS providers authorization for access control (ex: AWS Cognito)
• Write security test cases and run in CI/CD
@sharathkramadas
23. Singapore | 28 Feb - 01 Mar 2019
GraphQL
• A query language for API
• Tech from Facebook
• Query what you want forget about the ‘REST’
• Single endpoint for API calls
• Lightweight
27. Singapore | 28 Feb - 01 Mar 2019
An Attacker’s View
• No response size limiting
• Introspection is nice!
• Single endpoint access control
28. Singapore | 28 Feb - 01 Mar 2019
Demo
Want to get more powers!
29. Singapore | 28 Feb - 01 Mar 2019
Mass Assignment
• Frameworks allow to save the raw dump of HTTP request data
• Attackers can guess the sensitive fields
• Sensitive fields can allow to escalate privileges
• GraphQL has introspection enabled by default
• Introspection leaks the sensitive fields information
• GraphQL supports JSON Scalar
33. Singapore | 28 Feb - 01 Mar 2019
Resource Exhaustion
• aka Denial-Of-Service attack
• Overwhelmed requests to crash the server
• Causes memory leak and resource exhaust
• Serverless + GraphQL = (pay per usage + scale)
• 2 million requests * 3 dollar per query = (I will live it to your
imagination!)
35. Singapore | 28 Feb - 01 Mar 2019
GraphQL (Security) Best Practices
• Disable introspection
• Disable playground in production
• Limit the query size
• Depth limiting for nested queries
• Avoid scalars use input types
36. Singapore | 28 Feb - 01 Mar 2019
Hack It Yourself!
https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service
37. Singapore | 28 Feb - 01 Mar 2019
Things to consider
• OWASP Top 10
• Serverless Top 10
• SAST and SCA tools
• Threat-Modeling
38. Singapore | 28 Feb - 01 Mar 2019
Key Takeaways
• Serverless security is still an application security problem
• Roles and Permissions should be well thought of
• Secure coding practices need to be followed
• Resource limitations is highly recommended
39. Singapore | 28 Feb - 01 Mar 2019
Thank You
@sharathkramadas
@sharathkramadas