OWASP ServerlessGoat: Learn Serverless Security By Hacking and Defending
You could call it a guinea pig. Or maybe, a scapeGoat.
Join the DZone community and get the full member experience.Join For Free
Deliberately-vulnerable applications gained popularity in recent years for the purpose of learning and demonstrating application security concepts. Years ago, OWASP launched the WebGoat project, which has since become the gold standard and to this day is still one of the most popular platforms for teaching web application security.
As serverless adoption is expected to continue growing in 2019 and reach new audiences, OWASP sees the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will hopefully expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.
- A single click installation process. No compilation, building or packaging required.
- The application uses default serverless application repository permissions (SAM policy templates), making it more realistic.
- The deployment doesn't create custom IAM roles or resource policies on the account in which it is deployed in.
What Will You Learn From OWASP ServerlessGoat?
The application is a service based entirely on AWS Lambda, which receives a URL to a MS-Word document, and will reply with an HTML page containing the extracted text.
The vulnerabilities that are included were taken from the Serverless Security Top 10 Guide, available through the following GitHub repository, and include:
- Event-data injection (SAS-01)
- Insecure Serverless Deployment Configuration (SAS-03)
- Over-privileged function permissions & roles (SAS-04)
- Inadequate function monitoring and logging (SAS-05)
- Insecure 3rd Party Dependencies (SAS-06)
- Application layer Denial of Service (SAS-08)
- Improper exception handling and verbose error messages (SAS-10)
- And a few undisclosed vulnerabilities, left as a bonus.
Deploying and Using OWASP ServerlessGoat
The installation of ServerlessGoat was created with simplicity as a key principle. Unlike previous "Goat" applications, ServerlessGoat only requires a single-click to get deployed in your AWS account, which makes getting up and running a smooth experience.
- Make sure you are logged into your AWS account
- Click on the following link: AWS Serverless Application Repository
- Click "Deploy"
- Click "Deploy" (again)
- Wait until you see the message: "Your application has been deployed"
- Click on "View CloudFormation Stack"
- Under "Outputs" you will find the URL for the application (WebsiteURL)
Need a Cheat-Sheet? How About the Source Code?
As with all OWASP projects, ServerlessGoat is open source under the AGPLv3 license, so you can learn from the source code available in the following Github repo. The project also includes a cheat-sheet under the Lessons.md file.
Opinions expressed by DZone contributors are their own.