avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

4938

Abstract

800/1*2m9f-PlvVF8-ZKIqVVqkAA.png"><figcaption></figcaption></figure><p id="410c">12. Enter a name for your role.</p><figure id="d9f9"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*64DGJNlswJCEJujQT75-ww.png"><figcaption></figcaption></figure><p id="6320">13. Enter the number of the role you want to use. For this test I chose 1**.</p><figure id="6437"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*l3I4kVVF8VT0McJFEM322w.png"><figcaption></figcaption></figure><p id="3158">** Security best practice will be to choose a role with the least permissions you need.</p><p id="a3a3">14. Run a command to test the lambda function.</p><div id="e1cd"><pre>dotnet lambda<span class="hljs-built_in"> invoke-function </span>2ndSightLabTest --payload “Testing...1...2...3...Testing”</pre></div><figure id="dc69"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*Zq-eWe2iXwA0s_LXtjwquw.png"><figcaption></figcaption></figure><p id="a552">Cool. It worked.</p><p id="b4ca">15. Check the lambda function in the console.</p><figure id="ebb8"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*DFWAshzBnuAZ5KNrBuByBA.png"><figcaption></figcaption></figure><p id="df30">16. Click on the lambda function.</p><p id="6f2f">Tip: Click the arrow next to designer to hide it. Does anyone use that?</p><figure id="092d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*oaM6WHdx-6Kusooks6E5LA.png"><figcaption></figcaption></figure><p id="170d">17. You can see information about the code, but can’t view it in the console.</p><figure id="fc9b"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*i6uypucWwFJ2g5ECleSzGQ.png"><figcaption></figcaption></figure><p id="afaa">18. Click Monitoring. Hmm, I don’t see my invocation?</p><figure id="c10d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*PsXj7JGvgsKOh6nUGAiquA.png"><figcaption></figcaption></figure><p id="8a0c">19. Click View Logs in CloudWatch. Click the log stream.</p><figure id="985d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*m8Vn01R_2zudOwAAecqYGA.png"><figcaption></figcaption></figure><p id="f113">Note that so far my invocation has not appeared. It seems to take a while.</p><figure id="b860"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*4UbrazvyYYtFPFRZioG8LA.png"><figcaption></figcaption></figure><p id="1cac">20. Return to the function and click Test.</p><figure id="9b4d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*At0ugTBXYEYL7AbIcPgqAA.png"><figcaption></figcaption></figure><p id="f655">21. Change the key name to payload and the value to whatever you what.</p><figure id="8a51"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*SqYuPFa6aDlSWAUDZzOvSA.png"><figcaption></figcaption></figure><p id="6bf7">22. Scroll down and click Create.</p><figure id="9c8e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*DmKy3dN4e8Q8KFpsA4_g_w.png"><figcaption></figcaption></figure><p id="f0ca">23. Click Test again.</p><p id="aebc">Oops. There’s an error.</p><figure id="9383"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*V4rHMt89wTKGLcKXQyz3CA.png"><figcaption></figcaption></figure><p id="ac1c">Since we know the .NET Lambda function works on the command line, I presume this is an AWS Console bug.</p><div id="8994"><pre>{ <span class="hljs-comment">"errorType"</span>: <span class="hljs-comment">"JsonSerializerException"</span>, <span class="hljs-comment">"errorMessage"</span>: <span class="hljs-comment">"Error converting the Lambda event JSON payload to a string. JSON strings must be quoted, for example "</span><span class="hljs-type">Hello</span> <span class="hljs-type">World</span><span class="hljs-comment">" in order to be converted to a string: Unexpected character encountered while parsing value: {. Path '', line 1, position 1."</span>, <span class="hljs-comment">"stackTrace"</span>: [ <span class="hljs-comment">"at Amazon.Lambda.Serialization.Json.JsonSerializer.Deserialize[T](Stream requestStream)"</span>, <span class="hljs-comment">"at lambda_method(Closure , Stream , Stream , LambdaContextInternal )"</span> ], <span class="hljs-comment">"cause"</span>: { <span class="hljs-comment">"errorType"</span>: <span class="hljs-comment">"JsonReaderException"</span>, <span class="hljs-comment">"errorMessage"</span>: <span class="hljs-comment">"Unexpected character encountered while parsing value: {. Path '', line 1, position 1."</span>, <span class="hljs-comment">"stackTrace"</span>: [ <span class="hljs-comment">"at Newtonsoft.Json.JsonTextReader.ReadStringValue(ReadType readType)"</span>, <span class="hljs-comment">"at Newtonsoft.Json.JsonTextReader.ReadAsString()"</span>, <span class="hljs-comment">"at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.ReadForType(Json

Options

Reader reader, JsonContract contract, Boolean hasConverter)"</span>, <span class="hljs-comment">"at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)"</span>, <span class="hljs-comment">"at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)"</span>, <span class="hljs-comment">"at Newtonsoft.Json.JsonSerializer.Deserialize[T](JsonReader reader)"</span>, <span class="hljs-comment">"at Amazon.Lambda.Serialization.Json.JsonSerializer.Deserialize[T](Stream requestStream)"</span> ] } }</pre></div><p id="cd11">Side Note: Oracle is dropping serialization due to all the security problems it causes. <a href="https://www.infoworld.com/article/3275924/oracle-plans-to-dump-risky-java-serialization.html">https://www.infoworld.com/article/3275924/oracle-plans-to-dump-risky-java-serialization.html</a></p><p id="148f">Be careful with deserialization of untrusted data: <a href="https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data">https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data</a></p><p id="c0a4">24. Go back to Monitoring. Now stats exist.</p><figure id="af55"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*epvz4_7LWBJ3VgmJI51X8Q.png"><figcaption></figcaption></figure><p id="e086">25. Now entries exist in the logs showing the errors.</p><figure id="d57b"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*FA2_ubKv9SrJrsDmNFHagw.png"><figcaption></figcaption></figure><p id="a164">That’s it for this simple test. If you’re a .NET developer you might want to consider other options such as using VS Code, but be careful where you store and transmit your AWS credentials.</p><p id="3206">See references at the end.</p><p id="75f5">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2020</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="3b5e"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="5610"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure><p id="e962">__________________</p><p id="9e75"><b>References:</b></p><div id="4ba3" class="link-block"> <a href="https://docs.microsoft.com/en-us/dotnet/core/install/linux-package-manager-centos7"> <div> <div> <h2>Install .NET Core on CentOS 7 — package manager — .NET Core</h2> <div><h3>Package manager installs are only supported on the x64 architecture. Other architectures, such as ARM, must manually…</h3></div> <div><p>docs.microsoft.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*Ox3LkZetI3haGc2G)"></div> </div> </div> </a> </div><p id="1675">AWS Tutorial:</p><div id="89c8" class="link-block"> <a href="https://docs.aws.amazon.com/lambda/latest/dg/lambda-dotnet-coreclr-deployment-package.html"> <div> <div> <h2>.NET Core CLI</h2> <div><h3>The .NET Core CLI offers a cross-platform way for you to create .NET-based Lambda applications. This section assumes…</h3></div> <div><p>docs.aws.amazon.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div></article></body>

.NET AWS Lambda Function

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

🔒 Related Stories: AWS Security | Lambda Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I haven’t used .NET in a couple of years but a lot of pen testers are using it more now so thought I’d give it another look. Might come in handy. :) Also checking out how it works for my upcoming talk at RSA 2020 on Serverless Attack Vectors.

Install .NET SDK (CLI) on AWS EC2 Instance

The first thing I tried to do is to write it from scratch without .NET tools, but it was a pain. .NET generates a bunch of files required for a project that I forgot about. I got errors like this one.

{
  "errorType": "LambdaException",
  "errorMessage": "Could not find the required 'LambdaTest.deps.json'.  This file should be present at the root of the deployment package."
}

I didn’t want more tools on local machine so for a quick test I installed it on an AWS EC2 instance.

sudo rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm
sudo yum install dotnet-sdk-3.1

Simple AWS .NET Lambda Test

Once I got over my aversion to installing a bunch of different tools to do a simple thing, I followed an AWS tutorial but hit a couple of glitches so posting this list of steps to help anyone else who had the same problems.

  1. On your EC2 Instance, install the Lambda Templates from NuGet using the .NET CLI you just installed.
dotnet new -i Amazon.Lambda.Templates

2. Run the command to create the code for your .NET Lambda function. I named my function 2ndSightLabTest.

dotnet new lambda.EmptyFunction --name 2ndSightLabTest

3. Have a look at the files that were created.

4. Install the Amazon Lambda tools

dotnet tool install -g Amazon.Lambda.Tools

5. Update the Amazon Lambda tools

dotnet tool update -g Amazon.Lambda.Tools

6. Type exit end your EC2 session.

7. Reconnect to your instance. Tip: Use the history command. Then ![#].

8. Navigate to the following function src directory.

cd ~/2ndSightLabTest/src/2ndSightLabTest

9. Run an ls command to make sure you see the .csproj file.

10. Deploy the function.

dotnet lambda deploy-function 2ndSightLabTest

11. Choose the option to Create new IAM Role. Option 2 in my case.

12. Enter a name for your role.

13. Enter the number of the role you want to use. For this test I chose 1**.

** Security best practice will be to choose a role with the least permissions you need.

14. Run a command to test the lambda function.

dotnet lambda invoke-function 2ndSightLabTest --payload “Testing...1...2...3...Testing”

Cool. It worked.

15. Check the lambda function in the console.

16. Click on the lambda function.

Tip: Click the arrow next to designer to hide it. Does anyone use that?

17. You can see information about the code, but can’t view it in the console.

18. Click Monitoring. Hmm, I don’t see my invocation?

19. Click View Logs in CloudWatch. Click the log stream.

Note that so far my invocation has not appeared. It seems to take a while.

20. Return to the function and click Test.

21. Change the key name to payload and the value to whatever you what.

22. Scroll down and click Create.

23. Click Test again.

Oops. There’s an error.

Since we know the .NET Lambda function works on the command line, I presume this is an AWS Console bug.

{
  "errorType": "JsonSerializerException",
  "errorMessage": "Error converting the Lambda event JSON payload to a string. JSON strings must be quoted, for example \"Hello World\" in order to be converted to a string: Unexpected character encountered while parsing value: {. Path '', line 1, position 1.",
  "stackTrace": [
    "at Amazon.Lambda.Serialization.Json.JsonSerializer.Deserialize[T](Stream requestStream)",
    "at lambda_method(Closure , Stream , Stream , LambdaContextInternal )"
  ],
  "cause": {
    "errorType": "JsonReaderException",
    "errorMessage": "Unexpected character encountered while parsing value: {. Path '', line 1, position 1.",
    "stackTrace": [
      "at Newtonsoft.Json.JsonTextReader.ReadStringValue(ReadType readType)",
      "at Newtonsoft.Json.JsonTextReader.ReadAsString()",
      "at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.ReadForType(JsonReader reader, JsonContract contract, Boolean hasConverter)",
      "at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)",
      "at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)",
      "at Newtonsoft.Json.JsonSerializer.Deserialize[T](JsonReader reader)",
      "at Amazon.Lambda.Serialization.Json.JsonSerializer.Deserialize[T](Stream requestStream)"
    ]
  }
}

Side Note: Oracle is dropping serialization due to all the security problems it causes. https://www.infoworld.com/article/3275924/oracle-plans-to-dump-risky-java-serialization.html

Be careful with deserialization of untrusted data: https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data

24. Go back to Monitoring. Now stats exist.

25. Now entries exist in the logs showing the errors.

That’s it for this simple test. If you’re a .NET developer you might want to consider other options such as using VS Code, but be careful where you store and transmit your AWS credentials.

See references at the end.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2020

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab

__________________

References:

AWS Tutorial:

Cloud Security
Netflix
AWS Lambda
Cloud Security Training
Serverless Security
Recommended from ReadMedium