Skip to content

Lab documentation for SaintCon 2019 workshop, "I Can't Be Hacked, I'm Serverless!"

Notifications You must be signed in to change notification settings

klustic/sc19-lab-docs

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

I Can't Be Hacked, I'm Serverless

Introduction

With server hardware, operating system, and interpreter managed by a cloud provider, the devops engineer's primary security concern is application security.

The OWASP Top Ten list has long been a staple when understanding trends in web application security risks. OWASP has built on that program by translating those risks to the serverless environment. These labs demonstrate exploitation of many of the OWASP Top Ten 2017 - Serverless vulnerabilities.

Setup

You should be able to do most of this work with your browser and a text editor.

The later labs will require Python (2.7) to be installed:

For cryptographic work (e.g. hashing) and other data translations, you can probably get by using CyberChef.

Premise

These labs traverse a series of vulnerabilities in a serverless To Do List, which allows you to

  • Create different lists for your tasks
  • Export/Import your tasks
  • Mark tasks "complete" and remove them from the list entirely

You will learn the vulnerabilities as you go, and eventually capture a flag from the environment as you achieve remote code execution on the application's container!

This lab is implemented in AWS Lambda.

Labs

  • Lab 1: Application familiarity
  • Lab 2: File disclosure
  • Lab 3: Code execution
  • Lab 4: Serverless injection

Vulnerabilities covered

Designation Description Covered in
A1:2017 Injection Lab 4
A2:2017 Broken Authentication Lab 3
A3:2017 Sensitive Data Exposure Lab 2
A4:2017 XML External Entities (XXE) Lab 2
A5:2017 Broken Access Control Lab 3 (extra credit)
A6:2017 Security Misconfiguration Lab 2
A7:2017 Cross-Site Scripting (XSS) Lab 1
A8:2017 Insecure Deserialization Lab 3
A9:2017 Using Components with Known Vulnerabilities Lab2
A10:2017 Insufficient Logging/Monitoring Lab4

About

Lab documentation for SaintCon 2019 workshop, "I Can't Be Hacked, I'm Serverless!"

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published