OWASP Chicago 2018 - Pentesting with Serverless Infrastructure

  • OWASP Chicago
  • Chicago, IL
  • December 12, 2018
Developers are embracing serverless infrastructure for its low cost, flexibility, and quick deployments - security people should be too! In this talk, I'll cover a brief overview of serverless infrastructure, discuss the pros and cons of the major players, and then explain the benefits of using serverless functions to help when performing security testing. As a penetration tester and bug bounty hunter, it's extremely common to have to spin up disposable infrastructure using Virtual Private Servers to perform one-off functions like serving up PoCs or logging incoming data. However, by taking advantage of the free tiers for serverless architecture, we can move a lot of that functionality away from dedicated hardware and get free "infrastructrure" to launch attacks from. I will be demoing some of the examples from the "Serverless Toolkit for Pentesters" project I just open sourced, including serverless functions to help with payload hosting, SSRF redirecting, XXE Data Exfiltration, port scanning and DNS enumeration. All examples will take advantage of the awesome free tier with Zeit.co's Now.sh platform.