A Purple Team View of Serverless and GraphQL Applications

Presented at Global AppSec - DC 2019, Sept. 13, 2019, 10:30 a.m. (45 minutes).

The presentation will begin with quick refresher on Serverless functions and GraphQL Applications. The author will deploy a serverless function with GraphQL to demonstrate. The presentation with demo will also highlight some common attacks against serverless functions, namely: * Function Data Event Injection * Lateral Movement through Remote Code Execution on Function * NoSQL Injection, specifically DynamoDB Injection * ReDOS Attacks against Serverless functions, increasing transaction fee per serverless invoke to large values (e.g. $3 per request) Subsequently, author will demonstrate attacks against GraphQL Functions like: * Authorization Bypass through Introspection * Insecure Direct Object Reference Attacks * NoSQL Injection Attacks\ * Deserialization vulnerabilities Finally the presentation ends with the author demonstrating attacks against Serverless-GraphQL Applications, where the author will use Remote Code Execution and DoS Style queries to demonstrate specific attacks leading to cloud API-based lateral movement and DoS leading to financial exhaustion All the while, the author will highlight some key deficiencies in the lack of tooling, “batteries-included” security frameworks and DIY validation that might exacerbate these flaws

Presenters:

  • Abhay Bhargav - we45
    Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to his work in Application Security Automation, he has created “ThreatPlaybook”, a unique open-source framework that marries Threat-Modeling (as-Code) with Application Security Automation. He’s the Chief Architect of Orchestron, which is a “DevOps first” Vulnerability correlation and management application. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security, namely Containers, Orchestration and Serverless Architectures. Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat USA 2019, SHACK and so on. He’s also an accomplished speaker and speaks at several prestigious events worldwide. He writes on IT and IT Security-focused areas in his blog. Abhay is the author of two international publications “Secure Java: For Web Application Development” and “PCI Compliance: A Definitive Guide".

Links:

Similar Presentations: