This article is Part 2 of a series. Here, I’m going to explain how to secure Serverless applications from injection attacks using AWS Web Application Firewalls (WAF).
In Part 1 I introduced ServerlessGoat, an intentionally vulnerable serverless MS-Word .doc to text converter service. I explained how to exploit its code injection vulnerability and how to fix the vulnerability by replacing an invocation of the command-line tool
cat with a proper JS library to download the MS-Word document. Furthermore, I shortly introduced input validation with denylists, i.e., excluding inputs that contain specific characters or match a certain format, and allowlists, i.e…
This article was originally published on codeshield.io.
Recently Serverless application architectures are a trending model for web application development. This is hardly surprising since serverless backends can help to save huge costs for hosting and maintaining web applications. Instead of having full-blown servers continuously running and producing costs, serverless functions can be fired only on-demand, when there is load for the server to process, and are paid-per-use only for the time of their execution.
Read more in All about Modern Application Security Testing — A Collection by CodeShield · 6 min read
Manuel Benz is co-founder of CodeShield, a novel static security testing tool focusing on in-depth program analysis of Microservice architectures and Serverless