Pentesting with Serverless Infrastructure Ronnie Flathers OWASP Chicago Dec 12, 2018 @ropnop blog.ropnop.com /in/rflathers

Agenda ● What is “serverless”? ● How can security professionals benefit? ● Serverless Providers Pros/Cons ● High level architecture ● DEMOS!

Why this talk? Security needs to stay up with the latest cloud and DevOps technologies Not just to understand their security concerns - but because they can actually help us do our jobs! Been doing a lot of pentesting and bug hunting recently - automation is key. Why waste manual cycles? Even if you’re not a pentester, hopefully these demos will show the value of using serverless functions in some aspect of your job Other potential uses: ● Security unit testing ● Continuous spidering/recon ● Alerts on scan results ● Canary alerting ● ...anything else?

“Serverless Infrastructure” Let’s be honest...“Serverless Infrastructure” is a silly term It’s applying legacy definitions to a new technology and missing the point Along the same lines as: ● “Horseless Carriage” ● “Radio with Pictures” The point is: servers are irrelevant, don’t think about them

Function as a Service https://coin5s.com/content/servers-functions-serverless-story

Serverless Benefits ● For everyone: ○ Write code once, run anywhere ○ Don’t administer servers ○ Don’t worry about scaling ○ Don’t worry about networking ○ Don’t worry about patching* ○ Pay per on-demand usage ● For pentesters: ○ Cheap/free internet presence ○ Trusted IP spaces (major cloud players) ○ Full TLS, HTTP/2 “out of the box” ○ Full control over HTTP request handling ○ Easy spin-up/tear down I used to constantly spin up VPSs on DigitalOcean when pentesting, bug hunting for: ● Serving up files and payloads ● Listening for incoming requests (e.g. SSRF) ● Exfiltrating data over HTTPS All possible with serverless functions! * Application vulns can still exist. Most of OWASP Top 10 still apply

Serverless Providers AWS Lambda - tightly coupled with AWS; seamless integration with other AWS events/services; hard to “start from scratch” Supports: Java, Go, PowerShell, Node.js, C#, Python and Ruby Free Tier available (AWS account required) Google Cloud Functions - package.json support, gcloud CLI deployment, easily work with Chrome Headless (puppeteer) Supports: Node.js 6/8, Python 3 Free Tier available (GCP account required) Azure Functions - great .NET support (obviously), multiple deployment options (including CLI) Supports: C#, Node.js, F#, Java, Python Free Tier available (Azure account required) Cloudflare Workers - very fast spin-up time (V8 isolates vs containers), short execution time, JS the whole way down Supports: JavaScript, WebAssembly No Free Tier available Zeit.co Now - extremely developer friendly, great CLI tools, easy aliasing to custom domains Supports: Node.JS, Custom docker images Free Tier available - only email required

Using Now.sh Only requires an email address to get started: $ npm install -g now $ now init Deploy static files, or package.json or Dockerfile $ now --public Free tier does not hide source code!! Use secrets for things you don’t want exposed $ now secret add dbpw P@ssW0rd! $ now -e DATABASE_PW=@dbpw

Demo #1 Set Up Deploy static files As a pentester, I want to be able to quickly host and serve static files behind a globally trusted TLS cert and fast CDN Useful for: CSRF PoCs, XSS Payloads, malicious files https://github.com/ropnop/serverless_toolkit/tree/master/static_example

Demo #2 Passing Environment Variables Simple Redirect As a pentester, to demonstrate a vulnerability I need to force a browser/client to make a redirect Useful for: SSRF, redirecting to file:// URI https://github.com/ropnop/serverless_toolkit/tree/master/simple_redirect

Aliased Domains Each deployment gets a unique URL: https://staticexample-kzrmkaulwm.now.sh Aliasing custom URLs is easy: ● Verify domain ownership with TXT record ● Point CNAME record to alias.zeit.co $ now alias friendly.example.com I use Cloudflare as DNS and reverse proxy Also helps with TLS. Now only supports TLS1.3, Cloudflare is more flexible Cloudflare Now now.rop.bz .now.sh

Logging and Storage Functions are ephemeral, the containers are destroyed as soon as they exit (or after 5 minutes) Now does expose the “/_logs” endpoint for console logging, but you should write somewhere more permanent if you want to keep it What else is free? Slack! Easy to implement webhooks for alerts, full API for files and uploads Notifications are great for payloads that might not trigger immediately (e.g. blind XSS) Targets HTTPS API/Webhooks Notification Attack

Demo #2 SSRF Notifier Alert Slack if any request is received and reconstruct the original HTTP Listen for any incoming HTTP Request Send entire incoming request as a message to Slack Useful for: SSRF testing, Blind XSS testing, Canaries https://github.com/ropnop/serverless_toolkit/tree/master/ssrf_slack

Demo #3 Data Dumper Accept binary POST data and upload to Slack file Useful for data exfiltration (e.g. through command injection) Use with curl --data-binary @filename https://github.com/ropnop/serverless_toolkit/tree/master/datadump

Demo #4 Nmap Scan as a Service Using custom Docker images, it’s possible to run arbitrary binaries and wrap STDOUT in HTTP responses Useful for quickly seeing if a port is open from a diff. IP

Demo #5 Full Shell Functions will run 5 minutes before getting destroyed Why not execute a full shell in the Docker container and share over Websockets with GoTTY? Useful for: it’s fun?

Questions? @ropnop / rfl[email protected] https://blog.ropnop.com/serverless-toolkit-for-pentesters/ https://github.com/ropnop/serverless_toolkit Would love feedback / contributions / other ideas! Thank You!