Securing Serverless: Attacking an AWS Account via a Lambda Function

It’s not every day that someone lets you freely wreak havoc on their account just to find out what happens when you do.

Step 5: What Would Happen if I Do This...
So I can't list the buckets… how would I know which bucket exists, if such a bucket exists at all? I decided to try the first thing that came to mind - use the site's URL as the S3 bucket's name (again, common practice among developers). I was thinking to myself that this is extremely naive, and I would be very lucky if this actually worked. I decided to try this by invoking the 'head-bucket' option, which according to the AWS s3api documentation is "useful to determine if a bucket exists and you have permission to access it." Sounds exactly like the kind of thing I could use.

/> aws s3api head-bucket --bucket 

A second later, I got an empty response from the AWS CLI:


Odd, I thought to myself. Does an empty response mean the bucket exists, or does it mean I’m back to square one? I decided to give it another shot, this time using a made-up random bucket name, which I assumed wouldn't exist:

/> aws s3api head-bucket --bucket whatever.foobar.puresec

The reply didn't take long:

/> An error occurred (404) when calling the HeadBucket operation: Not Found

Bazinga! We're back in business baby!

So now I know that Caleb's account had an S3 bucket called ';' my next step would be to see if I can list the contents of this bucket. Who knows? Maybe I will find some sensitive data stored in there.

I then used the 'list-buckets' option in the following manner:

/> aws s3api list-objects --bucket

At that point, the server replied with a list of objects/files (truncated):


Nice, not much in there, just some CSS files, the main site's index HTML page, and some JavaScripts.

I was thinking to myself, "what would happen if I tried to delete one of the files?" Given my previous experience with the strict IAM permissions, I wasn't really expecting this to work, but why not give it a try? I will use the 'delete-object' option:

/> aws s3api delete-object --bucket --key "index.html"

The response to this command surprised me … it was empty. Empty?! Does this mean the file was deleted, or not?!

So, I invoked the AWS s3api tool with the 'list-objects' option once again, and my jaw dropped… index.html wasn't there anymore! Double Bazinga!

Step 6: PureSec on the Leaderboard
However, now the site was down, and who knows, maybe Caleb has some automation script that recreates the whole thing back in a few minutes. Nobody will believe me, so I decided to try one more thing - to create an HTML file called "puresec.html" containing the text "PureSec hacked this site!"

/> aws s3api put-object --bucket --key "puresec.html" --body body.html

To which the AWS S3 service replied with:


    "ETag": "\"654aa29207e06e89065a718a1a79b38b\""


Yea Baby! File created, I have proof 
Just to verify, I ran the 'list-objects' command on the bucket again:


There it was, dim-white on terminal-black - my file was there.

PureSec:1, LabdaShell:0. Since I was the only one who managed to cause some serious damage to Caleb's serverless application, I was now granted the 1st Place on the leaderboard - which stayed this way until the time of writing this post.


As Caleb was away at the Black Hat conference in Las Vegas that day and didn’t have access to his laptop, the site stayed down for a couple of days, which gave me lots of pleasure. Later, the site was resurrected, IAM permissions were fixed, and access to the S3 bucket are no longer an option.

Since that week in the beginning of August, we didn't put any further effort on hacking this application - not because we're not intrigued by the challenge, but rather because we're busy doing other things. We are aware that Caleb modified the application quite a bit, and that another AWS Lambda function was added in order to make things more interesting. However, it's time to let someone else take a stab at attacking it…we've done enough damage already.

Related Content:


Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading