diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md index ad0992d..15c1abc 100644 --- a/Enumeration/AWS.md +++ b/Enumeration/AWS.md @@ -931,26 +931,91 @@ https://.lambda-url..on.aws Vulnerabilities include -* Missing input validation on the event sent as user input to the Lambda function +* Missing input validation and sanitizaiton on the event sent as user input to the Lambda function * Sensitive data written to stdout and stderr, which is then sent to CloudWatch +* Lambda in a VPC * Permissive roles for function execution + +Examples of exciting permissions are ReadAccess in general or the following roles. + +``` +AmazonS3FullAccess +AWSLambda_FullAccess +``` + * Privilege escalation through access to environment variables `$AWS_ACCESS_KEY_ID`, `$AWS_SECRET_ACCESS_KEY` and `$AWS_SESSION_TOKEN` inside the Lambda container from function execution or from the webc console + +Use the found environment variables to get find the AccountId via aws cli. + +```sh +export AWS_SESSION_TOKEN= +export AWS_SECRET_ACCESS_KEY= +export AWS_ACCESS_KEY_ID= + +aws sts get-caller-identity +``` + * Access to the unencrypted secrets inside environment variables through function execution inside the container * Use of `lambda:*` instead of `lambda:invokeFunction` as part of a resource policy * Use of `Principal: *` inside an IAM policy -Check invocation policies of lambda functions via aws cli. +List functions and check invocation policies of lambda functions via aws cli. ```sh +aws lambda get-function --function-name arn:aws:lambda:::function: aws lambda get-policy --query Policy --output text --function-name arn:aws:lambda:::function: | jq . ``` +Check policies of the found functions of the Lambda functions via aws cli. + +```sh +func=" " + +for fn in $func; do + role=$(aws lambda get-function --function-name --query Configuration.Role --output text | aws -F\/ '{print $NF}' + echo "$fn has $role with following policies" + aws iam list-attached-role-policies --role-name $role + for policy in $(aws iam list-role-policies --role-name $role --query PolicyNames --output text); do + echo "$role for $fn has policy $policy" + aws iam get-role-policy --role-name $role --policy-name $policy + done +done +``` + * Modifying Lambda layers through malicious code * Use the concurrency of Lambda functions as a DoS measurement -* Get the function ZIP file through the URL or the following aws cli line to iinspect the code for sensitive data + +##### Invoke Modified Functions + +Get the function ZIP file through the URL or the following aws cli line to inspect the code for sensitive data ```sh -aws lambda get-function --function-name arn:aws:lambda:::function: +func=" " + +for fn in $func; do + url=$(aws lambda get-functions --function-name $fn --query Code.Location --output text) + curl -s -o $fn.zip $url + mkdir -p $fn + unzip $fn.zip -d $fn +done +``` + +Invoke a function with a predefined event, after getting intel from the zip, stored in `event.json` via aws cli. + +```sh +aws lambda invoke --function-name --payload fileb://event.json out.json +``` + +Update a function through modified source code in a ZIP file via aws cli. + +```sh +aws lambda update-function-code --region --function-name --zip-file fileb://modified.zip +``` + +Create a payload `next_event.json` and invoke the function via aws cli. + +```sh +aws lambda invoke --function-name --payload fileb://next_event.json out.json ``` ### CloudFront @@ -1393,3 +1458,12 @@ aws route53 get-change --id Describe the certificate to see the details via aws cli, like mentioned in the ACM chapter above. +### API Gateway + +An HTTP API consists of the following parts. + +* HTTP Request Body +* HTTP Response +* Specific HTTP headers +* HTTP Method +* Endpoint the request is queried