Abstract

Serverless Technology (Functions as a Service) is fast becoming the next “big thing” in the world of distributed applications. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a a wide variety of attack possibilities, ranging from attacks against access control tech like Function Event Injection, JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components. GraphQL (API Query Language) is the natural companion to serverless apps, where traditional REST APIs are replaced with GraphQL to provide greater flexibility, greater query parameterization and speed. GraphQL is slowly negating the need for REST APIs from being developed. The convergence of serverless functions and graphic provides attackers with some unique attack possibilities that can lead to lateral movement across Cloud APIs or financial attacks (DoS) that can literally run organizations out of business This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other cloud components. The talk also features real-world serverless and graphql implementations, specifically to highlight the lack of frameworks, tooling and security mechanisms that makes life much harder for developers to implement, therefore, easier for attackers to compromise