Pentesting in a World without Servers

Cloud technologies enables companies to deploy applications quickly and efficiently. Particularly useful is serverless computing – a cloud-based software that can run without its own server infrastructure. Popular examples include AWS Lambda, Azure Functions, or Google Cloud Functions. Even though these software functions operate without traditional servers, there are many potential security gaps and misconfigurations.

While most administrators are familiar with securing traditional servers, this is less common in serverless environments. Based on our experience from countless cloud penetration tests, these environments are especially vulnerable to specific misconfigurations and vulnerabilities. In this article, we highlight three critical security risks that companies should pay close attention prior to a cloud penetration test. We also offer practical recommendations for securing such environments.

Hardcoded Secrets and Environment Variable Leaks

A common mistake in serverless functions is the insecure handling of credentials and API keys. In most penetration tests, we find functions where developers have stored credentials directly in the code or in environment variables. This allows for simple authentication and interaction with other cloud services. However, this poses significant risks, as any user with "Read" permission can extract this data.

Attack Scenario:

Assume an attacker gains access to the source code of a serverless function. There are many possible paths to this, such as through an unprotected repository or an insecure CI/CD pipeline. If access tokens, certificates, or database credentials are hardcoded into the code, the attacker can use them to gain unauthorized access to cloud resources. It becomes even more critical if the application can read environment variables—especially if sensitive information is stored there—as these can be read with minimal permissions.

There have been multiple past incidents where hardcoded secrets were discovered in publicly accessible GitHub repositories. Our penetration tests use automated scanners to search for such information and exploit stolen credentials for further attacks.

Protection Measures:

There are several ways to secure vulnerable serverless functions:

  • Avoid hardcoded secrets: Instead, store API keys and credentials in a secure secrets management service like AWS Secrets Manager, Azure Key Vault, or Google Secret Manager.
  • Restrict environment variable use: If environment variables must be used, limit them to non-critical information.
  • Code scanning and reviews: Tools like GitGuardian, TruffleHog, or AWS CodeGuru can help detect and remove accidentally uploaded secrets.
  • Key rotation and access control: Regular key rotation and the use of role-based access controls (RBAC) reduce the risk of misuse.

Write Access to Source Code

When using serverless functions, the greatest risk to secure operation is the potential for source code modification. If an attacker can alter the code, they gain execution access and can impersonate the function’s identity in the cloud—often gaining access to additional resources and escalating privileges. In Azure Functions, for instance, the source code is always stored in a dedicated storage account. An attacker with write access to this storage account can not only compromise the account but also take control of the Azure Function.

Attack Scenario:

An attacker in AWS discovers that one of their IAM roles has write access to a Lambda function. Due to a misconfiguration in Identity and Access Management, they can exploit this to modify the function's code and insert a backdoor for future attacks. Alternatively, access to a misconfigured CI/CD pipeline could allow attackers to inject malicious code into other Lambda functions.

We have already compromised CI/CD pipelines in past penetration tests to inject malicious code into cloud applications. Such attacks can spread malware, steal data, or establish persistent threats.

Protection Measures:

  • Strict IAM roles: Serverless functions should follow the principle of least privilege, receiving only the permissions they absolutely need.
  • Ensure code integrity: Use hash values or digital signatures to detect unauthorized code modifications.
  • Secure CI/CD pipelines: Secure authentication and authorization for deployments prevent unauthorized code changes.
  • Logging and monitoring: Use Security Information and Event Management (SIEM) tools and native cloud monitoring services like AWS CloudTrail, Azure Monitor, or Google Cloud Audit Logs to detect and respond to unauthorized changes.

Insufficient Input Validation and Injections

Another often underestimated risk in serverless computing is insufficient validation of user input. Which is a classic attack vector known from web security. Serverless functions are frequently triggered by API requests or HTTP events, making them vulnerable to various injection attacks.

Attack Scenario:

A Lambda function processes user input like any web application and may interact with databases. Without adequate validation, an attacker could send specially crafted requests to exploit a SQL injection. In another case, a function that executes system commands could be vulnerable to command injection due to poorly filtered inputs.

Attackers have exploited such vulnerabilities in the past to compromise serverless environments. These attacks are especially dangerous when cloud functions have extensive permissions.

Protection Measures:

  • Input validation: Always validate user inputs using whitelisting and schema validation.
  • Use prepared statements: If the application interacts with databases, prevent SQL or NoSQL injection using prepared statements.
  • Regular security testing: Manual penetration tests and automated security scans help detect and remediate potential vulnerabilities early.
  • Web Application Firewalls (WAF): Use WAF services like AWS WAF, Azure WAF, or Google Cloud Armor to block malicious inputs.

Serverless functions offer many advantages, but they also require security strategies that differ from classic on-premise server threats. Injection attacks present new challenges—especially concerning identity and access management, configuration security, and code integrity.

We encounter all the vulnerabilities described above in the majority of our penetration tests. In the following video, we demonstrate a brief live hacking session showing how such a cloud penetration test can unfold.

This Video is only available in German

Regular cloud pentesting helps companies identify and remediate vulnerabilities in their serverless applications early on. The focus should be on the risk areas outlined above to minimize attack vectors and ensure the long-term security of cloud services. Additionally, companies should rely on security frameworks and best practices such as the AWS Well-Architected Framework, Google Cloud Security Best Practices, or Microsoft Azure Security Benchmarks to establish a robust security strategy for serverless computing.

About the author

Moritz Gruber
SEC Consult
Teamlead Offensive Security
Back