OWASP Serverless Top 10 #4: XML External Entities (XXE)

Successful exploits in monolithic applications can usually lead to extracting sensitive data, executing a remote request from the server, scanning internal systems, Denial of Service (DoS) and more.

In serverless, executing remote requests (OOB) might not be possible if the function is running inside the internal virtual private network (VPC). Scanning will be less likely to take effect in the few seconds the function has and DoS attacks are less of a concern, because the function is running in a designated container which will affect only the current execution.

Security Weakness and Impact

Any use of XML processors might open the application to XXE attacks. By default, many older XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing.

A successful XXE attack in a serverless application could lead mostly into function code leak and other sensitive files that are located in the environment (e.g. environment variables, files under /tmp).

How to Prevent

  • Use the service provider’s SDK whenever possible
  • Scan supply chain for relevant libraries known vulnerabilities
  • If possible, identify and test for XXE attacks via API calls
  • Make sure to disable Entity Resolution

Serverless Top 10

Read more about the OWASP Serverless Top 10.