Bring Out the ServerlessGoat
- Make the project open source and free for everyone to use
- Simple and straightforward deployment
- Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)
- Design the application to be realistic, and include common 'bad-practices', rather than forcing it to be vulnerable artificially
Given these key principles, we chose to develop and package the application an AWS SAM application that's available for deployment through the AWS Serverless Application Repository - however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:
- The application uses "default" serverless application repository permissions, making it more realistic
- The deployment doesn't create custom IAM roles or resource policies, which simplifies the installation, and makes the project more visible in the serverless app repo
The project is free and open source.
Information About The Application
The application is a service which receives a URL to a Word document (with a .doc extension - Office 97-2004), and will reply with an HTML page containing the extracted text.
The vulnerabilities that are included are (* spoiler alert! *)
- Event-data injection, leading to OS command injection (SAS-01)
- Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure
- Insecure Serverless Deployment Configuration, leading to sensitive data exposure (SAS-03)
- Over-privileged function permissions & roles, leading to DB data leakage and S3 bucket data tampering (SAS-04)
- Inadequate function monitoring and logging (SAS-05) - the application doesn't properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)
- Insecure 3rd Party Dependencies (SAS-06)
- Application layer Denial of Service (SAS-08), which can be easily demonstrated
- An undisclosed *critical* issue, as a bonus!
- The official OWASP ServerlessGoat project page: https://www.owasp.org/index.php/OWASP_Serverless_Goat
- The official OWASP Git repository: https://github.com/OWASP/Serverless-Goat
- AWS Serverless Application Repository page