Attacking Serverless Applications

Seasides > Attacking Serverless Applications
Training

Table of Content

IAM and API Gateway

○ Components of IAM (users, roles, groups and policies)
○ Elements of IAM
○ Permission Boundary, Session Policy and SCPs
○ AWS Organizations
○ Policy Evaluation
○ IAM Enumeration with open-source tools
○ Abusing overly permissive permissions
○ Abusing dangerous policy combinations
○ Introduction to API Gateway
○ Enumerating API Gateway and understanding policy authorization workflow.
○ Bypassing authentication and attacking API Gateway

Serverless Application Stack

○ Understanding, What is serverless?
○ Differences between a Traditional Architecture and Serverless Architecture
Stack.
○ Introduction to AWS Lambda

■ Lambda Functions
■ Lambda Applications
■ Lambda Layers
■ Lambda alias routing
■ Custom Runtimes

Attack Vectors on Serverless Application

○ Lambda Execution Environment
○ API Gateway Lambda Integration
○ Enumerating Lambda functions and layers
○ Event data injection

■ Command Injection
■ Server-side request forgery (SSRF)
■ Object deserialization attacks

○ Abusing AWS Lambda permissions
○ Lambda Runtime API

Post exploitation threatscape

○ Leveraging Lambda functions for performing attacks
○ Abusing temporary file systems of Lambda Environment
○ Maintaining Access on AWS Account utilizing a Lambda backdoor
○ Retrieving application secrets, keys and credentials

Cloud Storage and DB’s

○ Introduction to DynamoDB

■ Tables, Indexes, and streams
■ Partition key and sort key
■ CRUD Operations
■ PartiQL Support

○ Overview of RDS and DocumentDB
○ NoSQL and SQL attacks on DynamoDB, MongoDB and RDS based applications
○ Bypassing poorly implemented WAF
○ Introduction to S3

■ Buckets and Objects
■ IAM Policies, Bucket Policies and Bucket control lists
■ Server Side encryption and Client Side encryption

○ Access Control Policy Evaluation
○ Enumerating public S3 buckets
○ Leveraging misconfigured bucket policies and ACPs

■ Anonymous/Authorized public read
■ Reading Policies and identifying object names
■ Overwriting bucket ACL, object ACL, and bucket policies
■ Performing denial of service

Testing Playgrounds

○ Parallels between AWS, Azure and GCP Services
○ Utilizing training concepts to attack vulnerable by design infrastructure on AWS,
Azure and GCP

Student Requirements:


● Basic knowledge of computers and networking
● Familiarity with the Linux operating system
● An AWS Account (Free Tier Eligible account will suffice)

Target Audience:


Pentesters, Developers, Cloud Administrators, AWS Security Enthusiasts and Researchers.

Hit here for Registration
Divya Nain
social, social network, icon-1834013.jpg
Sherin Stephen 

social, social network, icon-1834013.jpg
Hall Name: Hall 3
Time: 4 Hour

With the advent of serverless computing, the developers no longer have to worry about servers.
The infrastructure management tasks like capacity provisioning, patching, etc. are handled by
the cloud service provider allowing developers to focus only on writing the code.
Serverless architecture is said to be more secure compared to traditional architecture. However,
this does not mean that attacks cannot be performed on it. This training is designed to provide
cybersecurity/cloud professionals with an understanding of how serverless computing works
and the various security risks that can arise in serverless environments.
Participants in the training will learn about the different components of serverless architectures,
such as APIs, event triggers, and serverless functions, and how these components can be
attacked. This training is focused on attack vectors on the AWS serverless application stack.
The class will be conducted on our cloud-based, state-of-the-art lab platform where attendees
will be doing lab exercises in class! Over 90% of class time will be spent on these hands-on
labs! Unlike most cloud trainings, the attendees will not have to set up any resources on their
personal accounts.

About Speakers

Divya Nain is a Software Engineer at INE with a passion for cloud security and DevSecOps. He
is an active contributor to various open-source tools, including GCPGoat and AzureGoat. His
work has been featured in many international conferences including Defcon USA, Blackhat
Asia/USA. Divya’s expertise in network pentesting was recognized at the Seasides Conference
in Goa, where he was a trainer for the network pentesting training session. He has extensive
experience working on cloud platforms such as Azure, AWS, and GCP.

linkedin, linkedin icon, linkedin logo-3000959.jpg

Sherin Stephen is a Software Engineer at INE, he works in creating cloud security labs, and
maintaining INE’s cloud labs infrastructure. He is proficient in Cloud Security and Development
on the AWS, GCP and Azure Cloud Platforms. His work has been featured in many international
conferences including Defcon USA, Blackhat Asia/USA. He is also one of the core contributors
for AzureGoat and GCPGoat, featured recently in Blackhat Asia 2023. His areas of expertise
include cloud security, web application security and development.

linkedin, linkedin icon, linkedin logo-3000959.jpg