Hacking Serverless Applications: A Treasure Map for Uncharted Waters

[Musica]

[Musica] Applications

from e the legacy monolitica application to microservices in System that have many micro Services

that Communication events to wapi Calls to you architectures

Applications the blockman Process going to change we don't have anymore the semantic version application We Don't Talk Anymore ones of Zero application because every components will be upgraded Ich Time It's components many times in the day and the Challenge in different time and have Applications

about the Dead Ops and in Of course in Hours about del Sec Ops introdusse in the in the Process that deploy Install upgrade de application all the Security verification neede to be su Netflix

Applications

Park e change the decision Development Process Moving from e top down Process guide bottom up Give more responsabilità

Google Friends Sorry for the italiancakes in italiano Google trans about How many people looking for serverness and you can see is the Blue line is going up for the covip Where is Another kind of Interest of you vado what about serverless Security again

Security responsabilità

tu un make this application Works

youtubers together to make this application edwaking components component Inside dei edabs The Orange One Nice Landa functions the Purple wines all the Purple Node a rappresentare in happy Rest exposed infernali o internet

dei Pink One Are The Cure System to permette to comunicate italian different components

S application is the Lost of the carimateur Old application Legacy Applications microservice installed on friend Us actor welde Fire and network infrastructures interna lì have in application subnet video Web Application Services e dei Military zone with the load Buster and the princer firewall Web Application firewall Another kind of Security appliance When you have in application for example need to upload file forza sample in application to handel di papers no The Paper tu permit gli organization to understand dei for good enough to be a 7 Dortmund in dei Legacy Applications Connect toroeses Web Application firewall Reach the arride ai Web Application server and then Blood application server our Legacy application Go to store the file Inside

the storage in server Let's application no every see every single Services exposed potential xposed to internet su When you want to upload your Paper you don't comunicative

e Service provider from the internet

[Musica]

You can see me Twenty Line of code I want to Focus the only thingsland greateng Tables

Hitler

So This is

the fine on Witch Dinamo DB che hanno operates all the table inside my demo account vediamo account is the numbers

permission artou large for the For what di Islanda Che cos'è I need only puty Order stable table davano su performe e correct approach for this Privilege approach Quindi tu a change the permission to give only

after this Change this Islanda is not table anymore to Read the content of the table

Facebook Assessment no di cose Remember The infrastructure You have many Landa nostro simple not always simple penso manuali check ma ed Emanuela ses Doesn't Shell su internet

driven Architecture because different Service different X component Talk i chander with event

[Musica]

S provider dei canto Service provider spin-up container of the lambda and Sands to the code after this where the lambda finisce tu execute the Cow Service provider put down the container Sometimes Show Sometimes reviews e container for performance Reason but in thatcase If you saved Inside the container summiformation you Rise to Expo expose Summer summer sensitive data

[Applauso]

I want to Focus with hater Tourist many you you knowden but I want to talk about dei Diamond Services Architecture soundtrack no because if I have and I WS to put down di Service I need to put down all day wrest in Flash Tractor su I think about the Niall of Wallet sono una Tucker that want to denah your application nickmania

many times and you going to to spend many Money for that one is the insufficiente longing in monitoring

Applications of the default log arzisable C anything usually with Only the Cloud Watch logs from the landself is nothing Show other Contact Service provider dei di was the Service all the vulnerabili I'm going to Show laterly with the Demon is provided by the self and library Used by the code snot vulnerability provider by the Cloud Service

to have to have insufficient login e monitoring is very high and

application

item e-commerce videogames Ok last fast fasters Inside container Delete execute your Landa we have reasonly empirement e set for the tmp Directory

[Musica]

Ok su Always rewake The force devo Welcome to Walk of the first vulnerability is not e codrerabili Inside e library that Islanda I think you remember log for Shell Spring for Shell Ok hai ricreate di Islanda with the Spring and I'm going to exploit the Spring Express language vulnerability encanto the real Land Because the vulnerability Before The code of the lambda because is a Present in the part of the codet understand The Witch kind of function Cool B Runner after the Call ok High hope di Gold of the time of Us

Jason file ok

decise di Saint Jason

is the actor Vector for this is Art Inside herder weekend weable To Run remote code su Force One

usually's slower because need to Build up the container and send da Heaven

Applications

Baby simple Ok Now I'm going to change The Event and use this One

's video

Top Of The Lights

to address my my server toes sand the output of this Command

ok R ai ex Filter the variations and Back to my server su I'm going to Connect to the server

sì tu

NG going to see What happen I Get the all the fire ment variables from the containerz You can see here what I talk about this Secret

One Direction token with this three palameters in the functions after this the Year's clima Tion Used by this Landa

ok

I'm in bar Task location Where I WS Installa your code su I can Run LS Eh sì Old information Inside dei container the Access to All Your food make The Sims

anno

Ok Same information VC before Of course in this cases container ba the Rollins the same Ok ragazzi

ok we have a little different Now TV is Inside code of the lambda introduceted This is

e file tu popolate turbolate the table user Open application

Because The Trigger that Run Extreme of the created events su Everytime I will up the file in Extreme e WS Run trigger Call and instants of di Islanda e passi execute di Islanda [Musica]

I think is Year for YouTube

Now change secondo Ok vengo qui

ok su ancora Tu tu sì the content of the fire

The force One dei The good one is

simple Toujours

shortly the lambda

This is the content ditable wise degli Snow username I'm to upload file I am ok

love

thatland take the file saveit in tempi surf I have ok

the other payload sample

Take That server again su vedi qui

upload Fire upload

bats Just you I Talking out

filtrated

the content of the file S Directory

and going to upload

Ok devi risolvere l'anda function so I'm going to ex filtrate decoder ok

Things

I think I Run to many times

The Golden srl

Ok su I have I have the code of the lambdataly

and I use This is the Tales to make Another Time

[Musica]

[Musica]

This is the Task with error Ok export

Secret Access Sony

get

Now I am the function

application

L'importante è già approcci su How many times Five minute Ok I want to try to Show you Another to video tu a Tax that my manager Bring to defcon let use different Attack Vector Wine One is email e The Other world is Alexa I think you no everyone Alexa so try to exploit with voice

ok e forse devo I want to try to Show the final One

manager i thinks for you to Seat all the lambda code Behind e Alexa skill Candy explorited To The Voice su [Musica] manuali

Alexa Alexa

dance

zero zero

[Musica]

stop [Applauso] Ok so just you no different capability different kind of trigger i show you some tools to play with serverless High hopes Applications

[Applauso] [Musica]