This article is Part 2 of a series. Here, I’m going to explain how to secure Serverless applications from injection attacks using AWS Web Application Firewalls (WAF).

In Part 1 I introduced ServerlessGoat, an intentionally vulnerable serverless MS-Word .doc to text converter service. I explained how to exploit its code injection vulnerability and how to fix the vulnerability by replacing an invocation of the command-line tool cat with a proper JS library to download the MS-Word document. Furthermore, I shortly introduced input validation with denylists, i.e., excluding inputs that contain specific characters or match a certain format, and allowlists, i.e…

This article was originally published on

Recently Serverless application architectures are a trending model for web application development. This is hardly surprising since serverless backends can help to save huge costs for hosting and maintaining web applications. Instead of having full-blown servers continuously running and producing costs, serverless functions can be fired only on-demand, when there is load for the server to process, and are paid-per-use only for the time of their execution.

Like usual web applications, serverless applications are equally affected by security vulnerabilities. Indeed, the OWASP Foundation has published an interpretation of the OWASP Top-10 list of…

Manuel Benz

Manuel Benz is co-founder of CodeShield, a novel static security testing tool focusing on in-depth program analysis of Microservice architectures and Serverless

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store