Compromising an organization's cloud infrastructure is like sitting on a gold mine for attackers. And sometimes, a simple misconfiguration or a vulnerability in web applications, is all an attacker needs to compromise the entire infrastructure. Since the cloud is relatively new, many developers are not fully aware of the threatscape and they end up deploying a vulnerable cloud infrastructure.
AWSGoat is vulnerable by design infrastructure on AWS featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as IAM, S3, API Gateway, Lambda, EC2, and ECS. AWSGoat mimics real-world infrastructure but with added vulnerabilities. It features multiple escalation paths and is focused on a black-box approach.
The project will be divided into modules and each module will be a separate web application, powered by varied tech stacks and development practices. It will leverage IaC through terraform and GitHub actions to ease the deployment process.
- Python 3
The project is scheduled to encompass all significant vulnerabilities including the OWASP TOP 10 2021, and popular cloud misconfigurations. Currently, the project contains the following vulnerabilities/misconfigurations.
- SQL Injection
- Insecure Direct Object reference
- Server-Side Request Forgery on Lambda Environment
- Sensitive Data Exposure and Password Reset
- S3 Misconfigurations
- IAM Privilege Escalations
- ECS Container Breakout
- An AWS Account
- AWS Access Key with Administrative Privileges
To ease the deployment process the user just needs to fork this repo, add their AWS Account Credentials to GitHub secrets, and run the Terraform Apply Action. This workflow will deploy the whole infrastructure and output the hosted application's URL.
Here are the steps to follow:
Step 1. Fork the repo
Step 2. Set the GitHub Action Secrets:
Step 3. From the repository actions tab, select the module to deploy and run the Terraform Apply Workflow.
Step 4. Find the application URL in the Terraform output section.
The first module features a serverless blog application utilizing AWS Lambda, S3, API Gateway, and DynamoDB. It consists of various web application vulnerabilities and facilitates the exploitation of misconfigured AWS resources.
The second module features an internal HR Payroll application, utilizing the AWS ECS infrastructure. It consists of various web application vulnerabilities and facilitates the exploitation of misconfigured AWS resources.