{"id":13449958,"url":"https://github.com/OWASP/Serverless-Goat","last_synced_at":"2025-03-23T10:31:48.089Z","repository":{"id":45754141,"uuid":"162155667","full_name":"OWASP/Serverless-Goat","owner":"OWASP","description":"OWASP ServerlessGoat: a serverless application demonstrating common serverless security flaws","archived":false,"fork":false,"pushed_at":"2024-07-30T20:30:42.000Z","size":293,"stargazers_count":316,"open_issues_count":11,"forks_count":96,"subscribers_count":20,"default_branch":"master","last_synced_at":"2024-10-28T17:15:44.061Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OWASP.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-12-17T16:00:22.000Z","updated_at":"2024-10-27T17:24:44.000Z","dependencies_parsed_at":"2024-10-28T15:52:09.886Z","dependency_job_id":"26647ad1-e9f4-4aeb-8403-1aed915cc853","html_url":"https://github.com/OWASP/Serverless-Goat","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FServerless-Goat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FServerless-Goat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FServerless-Goat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FServerless-Goat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OWASP","download_url":"https://codeload.github.com/OWASP/Serverless-Goat/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245090666,"owners_count":20559296,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T07:00:23.691Z","updated_at":"2025-03-23T10:31:47.656Z","avatar_url":"https://github.com/OWASP.png","language":"Python","funding_links":[],"categories":["Security Practices and CTFs","Python","Learning","SaaS","文章","Serverless Security","Capture The Flag"],"sub_categories":["Vulnerable By Design","Kubernetes Audit","Cloud-Focused"],"readme":"## Introduction ##\nThank you for using OWASP ServerlessGoat!\n​\nThis serverless application demonstrates common serverless security flaws as described in the Serverless Security Top 10 Weaknesses guide [https://github.com/puresec/sas-top-10](https://github.com/puresec/sas-top-10).  ​\n\nServerlessGoat was created for the following educational purposes:\n* Teach developers \u0026 security practitioners about common serverless application layer risks and weaknesses \n* Educate on how serverless application layer weaknesses can be exploited\n* Teach developers \u0026 security practitioners about serverless security best-practices  \n​\n\nYou can find more information about WebGoat at: [https://www.owasp.org/index.php/OWASP_Serverless_Goat](https://www.owasp.org/index.php/OWASP_Serverless_Goat)\n\n**​WARNING 1**: This application contains vulnerabilities. Use it only for training purposes.  \n**WARNING 2**: This program is for educational purposes only. Do not attempt these techniques without authorization from application owners.  ​\n\n**NOTE**: The application was developed in such way that should not put your AWS account at risk. The vulnerabilities that were introduced are contained within the boundaries of this specific application. Nevertheless, users are not encouraged to deploy the application in production environments.\n\n​\n## Deployment ##\nServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller.\n​\nThe application is packaged and published for deployment through the [AWS Serverless Application Repository](https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat).\n​\nSteps for deployment:\n1. Make sure you are logged into your AWS account\n2. Click on the following link: [AWS Serverless Application Repository](https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:761130837472:applications~serverless-goat)\n3. Click 'Deploy'\n4. Click 'Deploy' (again)\n5. Wait until you see the message 'Your application has been deployed'\n6. Click on 'View CloudFormation Stack'\n7. Under 'Outputs' you will find the URL for the application (WebsiteURL)\n​\n## Cheat-Sheet ##\n\nThe full walkthrough of the lessons (under development) can be found in the [LESSONS.md](https://github.com/OWASP/Serverless-Goat/blob/master/LESSONS.md) file\n\nThe following security issues exist in the application:\n​\n* Event-data injection, leading to OS command injection (SAS-01)\n  * Users can invoke the API with a `document_url` parameter value containing Linux OS commands. E.g. `; ls -LF`\n* Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure\n  * For example, invoking the API without the required parameter will return a verbose stack trace/exception\n* Insecure Serverless Deployment Configuration (SAS-03)\n  * Publicly open S3 bucket (its name can be discovered from the subdomain/prefix of the URL)\n  * The parameter `document_url` is not defined as a 'required' parameter in API gateway and can be ommitted\n* Over-privileged function permissions \u0026 roles, leading to data leakage of information stored in a DynamoDB table (SAS-04)\n  * The function has CRUD permissions on the Dynamo table, which can be abused for reading sensitive data, or manipulating data\n  * The function has FullAccess policy on the S3 bucket, leading to data tampering and data leakage, etc.\n* Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)\n* Insecure 3rd Party Dependencies (SAS-06) - can be detected by scanning the project with an OSS scanning tool\n  * The vulnerable package is `node-uuid` \n* Application layer Denial of Service (SAS-08), which can be easily demonstrated\n  * An attacker may invoke the API recursively multiple times, essentially spawning enough instances to reach the function's reserved capacity limit (which is set to 5). For example:\n    ```\n    https://i92uw6vw73.execute-api.us-east-1.amazonaws.com/Prod/api/convert?document_url=https%3A%2F%2Fi92uw6vw73.execute-api.us-east-1.amazonaws.com%2FProd%2Fapi%2Fconvert%3Fdocument_url...\n    ``` \n* An undisclosed *critical* issue, as a bonus! \n\n## Acknowledgements ##\nServerlessGoat was initially created and contributed to OWASP by Yuri Shapira \u0026 Ory Segal, [PureSec](https://www.puresec.io/).\n​\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2FServerless-Goat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FOWASP%2FServerless-Goat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2FServerless-Goat/lists"}