SShortSingh.
Back to feed

AWS Lab: SQL Injection in Lambda Function Exploited to Escalate IAM Privileges

0
·9 views

A security lab writeup details how a SQL injection flaw in an AWS Lambda function was exploited to escalate IAM privileges and retrieve a secret from AWS Secrets Manager. Using the Pacu framework, researchers enumerated IAM roles and identified a key invoker role they were permitted to assume via sts:AssumeRole. After assuming the role and enumerating Lambda functions in us-east-1, they downloaded the function's source code and discovered it concatenated user input directly into a SQLite query without sanitization. By injecting a payload that bypassed a public policy visibility check, the researchers tricked the function into attaching the privileged SecretAccessPolicy to their user. This granted them direct access to the target secret, demonstrating how unsanitized inputs in cloud functions can lead to full privilege escalation.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Snowflake Multi-Agent System Gets Security Layer With Governance Agent in Part 3

A three-part tutorial series on building a Snowflake multi-agent AI system has reached its final installment, adding a dedicated Security and Governance Agent to the existing Admin and Cost Optimizer agents. The new agent focuses on access control, role hygiene, failed login detection, unauthorized access attempts, and compliance-friendly audit summaries. It leverages semantic views built over Snowflake's ACCOUNT_USAGE schema, enabling natural language queries across security domains like login anomalies and excessive privileges. Specialized tools such as FailedLoginAnalyst, LoginAnomalyDetector, and UnauthorizedAccessAnalyst are wired into the agent via Cortex Analyst. The central Orchestrator is updated to route security-related questions to this new specialist, completing a full-coverage assistant that handles operations, cost, and risk.

0
ProgrammingDEV Community ·

Why Failed Startup Projects Are Actually Investments in Experience

A product builder and entrepreneur argues that failed projects should be viewed as valuable learning experiences rather than wasted effort. Even projects that never gained users taught critical skills such as idea validation, user communication, technical decision-making, and feature prioritization. The author suggests that many successful founders succeeded not because of a perfect first idea, but because earlier failed attempts equipped them with the experience to spot better opportunities. They describe their own unfinished projects as investments that made them stronger builders over time. The piece concludes with an encouragement to embrace pivoting as a strategic application of accumulated lessons, not as a sign of giving up.

0
ProgrammingDEV Community ·

Salesforce Education Cloud Offers Simpler, Native Alternative to Legacy EDA Package

Salesforce's Education Cloud is positioned as a modernised replacement for the Education Data Architecture (EDA), which has long operated as a managed package layered on top of the core Salesforce platform. Unlike EDA, Education Cloud runs natively on Salesforce, eliminating separate installations, namespace conflicts, and update delays tied to the package release cycle. Education Cloud also adopts a Person Account data model, enabling more direct relationships between student records, departments, programmes, and households compared to EDA's Contact-based administrative account structure. Because it sits on the same platform layer that Salesforce product teams develop against, Education Cloud automatically receives new capabilities — including AI and automation features — with each of Salesforce's three yearly releases. EDA remains supported and functional, but the architectural gap between the two products is expected to widen as native platform innovation accelerates.

0
ProgrammingHacker News ·

Developer builds random Google Fonts browser to simplify font selection for web projects

A developer has created RandoFont, a simple browser tool that displays Google Fonts in random order to help with font selection during web projects. The tool allows users to tag and save their favorite fonts as they browse. The creator built the application several years ago and recently used AI assistance to refresh its interface. The project was shared on Hacker News, where it received modest early attention.