Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pentesting with Serverless Infrastructure

D935fc668d901fbb803fd5d8d0313c22?s=47 ropnop
December 12, 2018

Pentesting with Serverless Infrastructure

Developers are embracing serverless infrastructure for its low cost, flexibility, and quick deployments - security people should be too! In this talk, I'll cover a brief overview of serverless infrastructure, discuss the pros and cons of the major players, and then explain the benefits of using serverless functions to help when performing security testing. As a penetration tester and bug bounty hunter, it's extremely common to have to spin up disposable infrastructure using Virtual Private Servers to perform one-off functions like serving up PoCs or logging incoming data. However, by taking advantage of the free tiers for serverless architecture, we can move a lot of that functionality away from dedicated hardware and get free "infrastructrure" to launch attacks from. I will be demoing some of the examples from the "Serverless Toolkit for Pentesters" project I just open sourced, including serverless functions to help with payload hosting, SSRF redirecting, XXE Data Exfiltration, port scanning and DNS enumeration. All examples will take advantage of the awesome free tier with Zeit.co's Now.sh platform.



December 12, 2018


  1. Pentesting with Serverless Infrastructure Ronnie Flathers OWASP Chicago Dec 12,

    2018 @ropnop blog.ropnop.com /in/rflathers
  2. Agenda • What is “serverless”? • How can security professionals

    benefit? • Serverless Providers Pros/Cons • High level architecture • DEMOS!
  3. Why this talk? Security needs to stay up with the

    latest cloud and DevOps technologies Not just to understand their security concerns - but because they can actually help us do our jobs! Been doing a lot of pentesting and bug hunting recently - automation is key. Why waste manual cycles? Even if you’re not a pentester, hopefully these demos will show the value of using serverless functions in some aspect of your job Other potential uses: • Security unit testing • Continuous spidering/recon • Alerts on scan results • Canary alerting • ...anything else?
  4. “Serverless Infrastructure” Let’s be honest...“Serverless Infrastructure” is a silly term

    It’s applying legacy definitions to a new technology and missing the point Along the same lines as: • “Horseless Carriage” • “Radio with Pictures” The point is: servers are irrelevant, don’t think about them
  5. Function as a Service https://coin5s.com/content/servers-functions-serverless-story

  6. Serverless Benefits • For everyone: ◦ Write code once, run

    anywhere ◦ Don’t administer servers ◦ Don’t worry about scaling ◦ Don’t worry about networking ◦ Don’t worry about patching* ◦ Pay per on-demand usage • For pentesters: ◦ Cheap/free internet presence ◦ Trusted IP spaces (major cloud players) ◦ Full TLS, HTTP/2 “out of the box” ◦ Full control over HTTP request handling ◦ Easy spin-up/tear down I used to constantly spin up VPSs on DigitalOcean when pentesting, bug hunting for: • Serving up files and payloads • Listening for incoming requests (e.g. SSRF) • Exfiltrating data over HTTPS All possible with serverless functions! * Application vulns can still exist. Most of OWASP Top 10 still apply
  7. Serverless Providers AWS Lambda - tightly coupled with AWS; seamless

    integration with other AWS events/services; hard to “start from scratch” Supports: Java, Go, PowerShell, Node.js, C#, Python and Ruby Free Tier available (AWS account required) Google Cloud Functions - package.json support, gcloud CLI deployment, easily work with Chrome Headless (puppeteer) Supports: Node.js 6/8, Python 3 Free Tier available (GCP account required) Azure Functions - great .NET support (obviously), multiple deployment options (including CLI) Supports: C#, Node.js, F#, Java, Python Free Tier available (Azure account required) Cloudflare Workers - very fast spin-up time (V8 isolates vs containers), short execution time, JS the whole way down Supports: JavaScript, WebAssembly No Free Tier available Zeit.co Now - extremely developer friendly, great CLI tools, easy aliasing to custom domains Supports: Node.JS, Custom docker images Free Tier available - only email required
  8. Using Now.sh Only requires an email address to get started:

    $ npm install -g now $ now init Deploy static files, or package.json or Dockerfile $ now --public Free tier does not hide source code!! Use secrets for things you don’t want exposed $ now secret add dbpw P@ssW0rd! $ now -e DATABASE_PW=@dbpw
  9. Demo #1 Set Up Deploy static files As a pentester,

    I want to be able to quickly host and serve static files behind a globally trusted TLS cert and fast CDN Useful for: CSRF PoCs, XSS Payloads, malicious files https://github.com/ropnop/serverless_toolkit/tree/master/static_example
  10. Demo #2 Passing Environment Variables Simple Redirect As a pentester,

    to demonstrate a vulnerability I need to force a browser/client to make a redirect Useful for: SSRF, redirecting to file:// URI https://github.com/ropnop/serverless_toolkit/tree/master/simple_redirect
  11. Aliased Domains Each deployment gets a unique URL: https://staticexample-kzrmkaulwm.now.sh Aliasing

    custom URLs is easy: • Verify domain ownership with TXT record • Point CNAME record to alias.zeit.co $ now alias <deployment> friendly.example.com I use Cloudflare as DNS and reverse proxy Also helps with TLS. Now only supports TLS1.3, Cloudflare is more flexible Cloudflare Now now.rop.bz <deployment>.now.sh
  12. Logging and Storage Functions are ephemeral, the containers are destroyed

    as soon as they exit (or after 5 minutes) Now does expose the “/_logs” endpoint for console logging, but you should write somewhere more permanent if you want to keep it What else is free? Slack! Easy to implement webhooks for alerts, full API for files and uploads Notifications are great for payloads that might not trigger immediately (e.g. blind XSS) Targets HTTPS API/Webhooks Notification Attack
  13. Demo #2 SSRF Notifier Alert Slack if any request is

    received and reconstruct the original HTTP Listen for any incoming HTTP Request Send entire incoming request as a message to Slack Useful for: SSRF testing, Blind XSS testing, Canaries https://github.com/ropnop/serverless_toolkit/tree/master/ssrf_slack
  14. Demo #3 Data Dumper Accept binary POST data and upload

    to Slack file Useful for data exfiltration (e.g. through command injection) Use with curl --data-binary @filename https://github.com/ropnop/serverless_toolkit/tree/master/datadump
  15. Demo #4 Nmap Scan as a Service Using custom Docker

    images, it’s possible to run arbitrary binaries and wrap STDOUT in HTTP responses Useful for quickly seeing if a port is open from a diff. IP
  16. Demo #5 Full Shell Functions will run 5 minutes before

    getting destroyed Why not execute a full shell in the Docker container and share over Websockets with GoTTY? Useful for: it’s fun?
  17. Questions? @ropnop / rflathers@gmail.com https://blog.ropnop.com/serverless-toolkit-for-pentesters/ https://github.com/ropnop/serverless_toolkit Would love feedback /

    contributions / other ideas! Thank You!