{"id":13649473,"url":"https://github.com/wickett/lambhack","last_synced_at":"2026-01-12T00:01:01.175Z","repository":{"id":144205176,"uuid":"81354133","full_name":"wickett/lambhack","owner":"wickett","description":"A very vulnerable serverless application in AWS Lambda","archived":false,"fork":false,"pushed_at":"2019-10-07T16:30:37.000Z","size":2896,"stargazers_count":95,"open_issues_count":1,"forks_count":26,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-04-22T14:42:23.843Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wickett.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-02-08T17:06:55.000Z","updated_at":"2025-03-27T14:57:38.000Z","dependencies_parsed_at":"2023-06-19T12:38:16.012Z","dependency_job_id":null,"html_url":"https://github.com/wickett/lambhack","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/wickett/lambhack","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wickett%2Flambhack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wickett%2Flambhack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wickett%2Flambhack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wickett%2Flambhack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wickett","download_url":"https://codeload.github.com/wickett/lambhack/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wickett%2Flambhack/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28328651,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-11T22:11:01.104Z","status":"ssl_error","status_checked_at":"2026-01-11T22:10:58.990Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T02:00:17.264Z","updated_at":"2026-01-12T00:01:00.919Z","avatar_url":"https://github.com/wickett.png","language":"Go","readme":"#lambhack\nA vulnerable serverless lambda application. This is certainly a bad idea to base any coding patterns of what you see here.\n\nlambhack allows you to take advantage of our tried and true application security problems, namely arbitrary code execution, XSS, injection attacks aand more.\n\nThis first release only contains arbitrary code execution through the query string.  Please feel free to contribute new vulnerabilities.\n\n## What can you do with lambhack?\n\nSee Velocity preso \u003e http://www.slideshare.net/wickett/serverless-security-are-you-ready-for-the-future\n\n## Example CMDEXE\n\nYou can pass OS commands in the query string args\n```\n$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=uname+-a;+sleep+1\"\n```\n\nLambda container reuse in action\n```\n$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=ls+/tmp;+sleep+1\"\n\n$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/c?args=touch+/tmp/wickettfile;+sleep+1”\n\n$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/lambhack/args=ls+/tmp;+sleep+1\"\n```\n\n## Setup\n\n```\ngo get github.com/wickett/lambhack\n```\n\nIn case you are new to golang, this clones the project to `$GOPATH/src/github.com/wickett/lambhack`\n\nNow you need to setup your AWS user and local credentials.  I recommend setting up creds in `.aws/credentials` and using a profile called sparta with limited perms. \n\n## License\nMIT License\n\n## Contributing\nSend in PRs\n\n## Known Problems\n* No UI!\n* No XSS attacks\n* No Injection attacks\n* No auth attacks\n* ....\n\nWould love some help! \n","funding_links":[],"categories":["Sorted by Technology and Category","Hacking Playground","Vulnerable Test Targets","Capture The Flag"],"sub_categories":["Cloud-Focused"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwickett%2Flambhack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwickett%2Flambhack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwickett%2Flambhack/lists"}