Title Page
Contents
Abstract 10
Chapter I. INTRODUCTION 11
Chapter II. RELATED WORK 13
1. Security in Cloud Computing 13
2. Security in Serverless Applications 15
Chapter III. VULNERABILITIES IN SERVERLESS APPLICATIONS 18
1. Design of the Serverless Application 19
2. Analysis of Possible Vulnerabilities in Serverless Applications 22
Chapter IV. SECURE CODING FOR VULNERABILITIES 30
1. Server-Side Request Forgery (SSRF) 30
2. Hard-coded Sensitive Information 37
3. Infinite Loop of Lambda Call 42
4. Sensitive Information Encryption 47
5. Insufficient Logging 53
6. Other Vulnerabilities in Applications on Cloud 59
Chapter V. CONCLUSION 64
References 67
논문요약 70
Table 1. Application vulnerabilities in 2021 OWASP Top 10 18
Table 2. Application vulnerabilities in 2017 OWASP Serverless Top 10 19
Table 3. Examples of possible vulnerable scenarios in serverless applications 25
Table 4. Comparison with vulnerabilities in other researches 28
Table 5. Summary for secure coding for major vulnerabilities 64
Figure 1. Serverless application architecture 21
Figure 2. Data-flow with trust boundary 23
Figure 3. Simple data flow diagram 24
Figure 4. Application architecture possible SSRF attack 31
Figure 5. Example of a vulnerable Lambda Function without validation 32
Figure 6. Exposure of EC2 credentials caused by SSRF 33
Figure 7. Default metadata version of EC2 Instance 34
Figure 8. URL validation with white-list of allowed URLs 35
Figure 9. URL validation using not allowed URLs 36
Figure 10. Successful validation for internal IP 37
Figure 11. Exposure of hard-coded RDS Credential 38
Figure 12. AWS environment variables 39
Figure 13. Environment variables with encryption 40
Figure 14. Sample for using Secret Manager 42
Figure 15. Upload architecture using a Function on the Cloud 44
Figure 16. Save the thumbnail file in the same path 45
Figure 17. Save the thumbnail file in the separate path 47
Figure 18. RDS encryption configuration 48
Figure 19. Stored password with encryption 49
Figure 20. Save login password in plain-text 51
Figure 21. Save login password after hashing 52
Figure 22. Insufficient logging of password change failure 54
Figure 23. Sufficient logging for password change failure 56
Figure 24. Mapping Templates for getting requester's IP address 57
Figure 25. Logged informative data from Event and Context object 58
Figure 26. Static web site hosting in S3 60
Figure 27. Exposure of test account in comments 60
Figure 28. Allowed PUT action on all resources in S3 62
Figure 29. Allowed PUT action only for specific path required by the service 63