Abstract
The presentation will begin with quick refresher on Serverless functions and GraphQL Applications. The author will deploy a serverless function with GraphQL to demonstrate.
The presentation with demo will also highlight some common attacks against serverless functions, namely:
- Function Data Event Injection
- Lateral Movement through Remote Code Execution on Function
- NoSQL Injection, specifically DynamoDB Injection
- ReDOS Attacks against Serverless functions, increasing transaction fee per serverless invoke to large values (e.g. $3 per request)
Subsequently, author will demonstrate attacks against GraphQL Functions like:
- Authorization Bypass through Introspection
- Insecure Direct Object Reference Attacks
- NoSQL Injection Attacks\
- Deserialization vulnerabilities
Finally the presentation ends with the author demonstrating attacks against Serverless-GraphQL Applications, where the author will use Remote Code Execution and DoS Style queries to demonstrate specific attacks leading to cloud API-based lateral movement and DoS leading to financial exhaustion
All the while, the author will highlight some key deficiencies in the lack of tooling, “batteries-included” security frameworks and DIY validation that might exacerbate these flaws