Title: Pwning Serverless Applications

Instructor: Abhay Bargav

Abstract: Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a a wide variety of attack possibilities, ranging from attacks against access control tech like Function Event Injection, JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components.

This workshop is replete with hands-on labs and presents a red-team perspective of the various ways in which testers can discover and exploit serverless applications to compromise sensitive information, and gain a deeper foothold into cloud database services, IAM services and other other cloud components. The workshop also features real-world serverless implementations, specifically to highlight the lack of frameworks, tooling and security mechanisms that makes life much harder for developers to implement, therefore, easier for attackers to compromise

Level: Beginner

Pre-Requisites: None

Required Materials: Laptop with ability to access WiFi networks.
Admin/Root access to an AWS Account. Free Tier works.