This chapter event welcomed Pawell Kusiński, Senior IT Security Consultant at Securing.
Pawel Kusiński’s session was all about Risks in Serverless Technologies. Serverless computing is not only a popular option in the cloud environments, but also a suggested method for creating a lot of things! Did you even think about how it works under the hood? Is serverless really server-less? How execution environment works? Is persistence even possible in this event-driven compute service? I won’t be lying – Remote Code Executions are rare, but what if there is one in your function? Pawel demonstrates how to use it to acquire persistency and exfiltrate more data than function role gives.
01. How the infrastructure in serverless works.
02. Why persistence is possible in this semi-volatile environment.
03. How to research serverless environment using pseudo shell over HTTP.
04. How can we make use of an RCE vulnerability to obtain a persistence – exploitation demo will be shown! Possible mitigations.