Alexa, Hack My Server(less) Please

Conference:  BlackHat EU 2019



The presentation discusses the vulnerabilities in cloud applications due to bad coding practices and the need for developers to follow security principles.
  • Cloud applications are vulnerable to attacks due to bad coding practices
  • Developers need to follow security principles such as the least privilege principle
  • Automation is necessary for securing cloud applications with multiple resources
  • The presentation provides examples of how to exploit vulnerabilities in cloud applications
  • The speaker emphasizes that the problem is not with the cloud, but with bad coding practices
The speaker demonstrates how a Slack chat bot with a vulnerable neural library can be exploited through code injection to gain access to the backend source code of the function. The function also uses a wildcard in the API, allowing the attacker to write into the Slack channel. This illustrates the importance of following security principles and avoiding bad coding practices.


When adopting serverless technology, we eliminate the need to manage a server for our application. By doing so, we also pass some of the security threats to the cloud provider. We do not need to care about OS patching and configuration any more. It's all in the safe hands of the service providers. However, Serverless function still executes code. If written poorly, it can lead into a cloud disaster. One particular example is the injection attacks. Yes, injection attacks nothing new. But, what happens when there is no longer a perimeter? In this talk, I will examine the Serverless #1 risk: Event injection and will demonstrate injection attacks form multiple event types, such as emails, logs, files and even through Alexa.



Post a comment

Related work

Authors: Tal Melamed