Bref Security Audit

TL;DR

Shielder, with OSTIF and Amazon Web Services, performed a Security Audit of Bref. The audit resulted in five (5) findings ranging from low to medium severity. The Bref maintainers and community addressed most of the the issues in a timely and accurate manner.

Today, we are publishing the full report in our dedicated repository.

Introduction

In December 2023, Shielder was hired to perform a Security Audit of Bref, an open-source project that helps you go serverless on AWS with PHP. The audit has been sponsored by Amazon Web Services and facilitated by the Open Source Technology Improvement Fund (OSTIF).

Bref comes as:

Context and Scope

The main targets of the audit were the Composer package, where the logic is implemented, and the AWS Lambda custom runtime, that provides the base system configuration for the Lambda environment and which acts as an entry point for each Lambda execution.

The scope of this audit was the Bref version 2.1.9 released on November 23, 2023.

Findings Summary and Recommendations

The Shielder team was able to identify five (5) findings, two (2) of them being medium and three (3) low.

IDVulnerabilitySeverityStatus
1Uploaded Files Not Deleted in Event-Driven FunctionsMediumClosed
2Slow String Operations via MultiPart Requests in Event-Driven FunctionsMediumClosed
3Query String Parsing InconsistencyLowOpen *
4Multiple Value Headers Not Supported in ApiGatewayFormatV2LowClosed
5Body Parsing Inconsistency in Event-Driven FunctionsLowClosed

* The behavior has been documented here.

Shielder team also outlined the following recommendations and long-term security improvements:

  • Implement Supply-Chain Attack Countermeasures
  • Make Telemetry Opt-In
  • Perform More Invariant Testing

The full details and rationale can be read in the report.

Conclusions

The overall security posture of the Bref project is mature and most of the security best practices have been correctly implemented.

The main threats affect the Event-driven functions, where there is a lack of filesystem hygiene and the presence of some slow operations on user-supplied input, which could increase the execution time of the Lambda functions, thus leading to higher AWS bills.

Bref maintainers and community, notably Matthieu Napoli, addressed most of the findings in a timely and accurate manner.

It was a pleasure for our team to work with OSTIF, Amazon Web Services, and the Bref maintainers in securing the Web landscape.

Pitch 🗣

Did you know OSTIF helps sensitive open-source projects in securing funds to perform security audits? They will also help you in scoping the assessment, finding a trusted partner to perform the analysis, and ensuring full transparency along the way.

P.S. if you need help in verifying the security posture of your Lambda functions –> get in touch with us!

3 min

Data

29 marzo 2024

Autore

smaury

Sono Abdel Adim Oisfi più conosciuto come smaury.
Lavoro: CEO, Security Researcher, Penetration Tester in Shielder.
Passioni: Hacking, autostop, tuffi e ginocchia sbucciate.