Skip to content
An AWS Lambda vulnerable application written in flask.
HTML Python CSS Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
static
templates Added changes to the main file Oct 9, 2017
.gitignore Added templates and files Oct 9, 2017
CONTRIBUTIONS.md Slight changes Oct 9, 2017
LICENSE Initial commit Oct 6, 2017
README.md Added changes to the main file Oct 9, 2017
deploy.sh Added changes to the main file Oct 9, 2017
main.py Added changes to the main file Oct 9, 2017
requirements.txt Added templates and files Oct 9, 2017
zappa_settings.json Added templates and files Oct 9, 2017

README.md

AWS-Vulnerable-Lambda

An AWS Lambda vulnerable application written in flask.

Context

AWS lambda is a serverless platform for deploying your applications.It makes use of the use and throw functionality, where it creates a sandbox and then destroys it once it is done.

AWS lambda works by unzipping your code to a s3 bucket, launches a container in the cluster to represent the function you wrote and the event will be passed on to the function, to take care of the http request and response it makes use of the AWS API gateway.

Security

AWS lambda security issues arise due to improperly configured applications or vulnerable applications being run.It is an interesting space to look around.You could escalate from the function code to the inner aws architecture which might be being used.

AWS lambda can be quite interesting when it is being kept warm. AWS Lambda cold start & warm ups.

Research

There has been some awesome research done into AWS lambda, some of these are i would highly recommend to read upon:

Deployment

The vulnerable application makes use of zappa, which is used to deploy serverless applications (AWS Lambda) written in flask or django.

Configure your zappa_settings

  • Change the s3 bucket name to a unique one preferably which is not used.
  • Incase you use a different aws-region mention it in the file as well.

This requires you to create a amazon aws account and a user with lambda,s3 and api gateway permissions enabled, copy the access token and the paste it within ~/.aws/credentials.

  • pip install awscli
  • virtualenv .venv && source .venv/bin/activate
  • pip install -r requirements.txt
  • set aws credentials.(Create a new user in your aws account and add it in ~/.aws/credentials)
  • bash deploy.sh
  • Use the url in the format - https://url/dev/?ping=ls

** This is by no means meant for deploying at production, use it at your own risk.

Screenshots

alt text

You can’t perform that action at this time.