Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

OWASP ServerlessGoat: Learn Serverless Security By Hacking and Defending

DZone's Guide to

OWASP ServerlessGoat: Learn Serverless Security By Hacking and Defending

You could call it a guinea pig. Or maybe, a scapeGoat.

· Cloud Zone ·
Free Resource

Learn how to migrate and modernize stateless applications and run them in a Kubernetes cluster.

Deliberately-vulnerable applications gained popularity in recent years for the purpose of learning and demonstrating application security concepts. Years ago, OWASP launched the WebGoat project, which has since become the gold standard and to this day is still one of the most popular platforms for teaching web application security.

The Open Web Application Security Project (OWASP) recently launched the serverless counterpart to WebGoat, named ServerlessGoat, which was contributed by serverless security vendor PureSec.

As serverless adoption is expected to continue growing in 2019 and reach new audiences, OWASP sees the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This project will hopefully expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.

The OWASP ServerlessGoat application is packaged as an AWS SAM application that's available for deployment through the AWS Serverless Application Repository. This provides three important benefits:

  1. A single click installation process. No compilation, building or packaging required.
  2. The application uses default serverless application repository permissions (SAM policy templates), making it more realistic.
  3. The deployment doesn't create custom IAM roles or resource policies on the account in which it is deployed in.

AWS Serverless Application Repository

What Will You Learn From OWASP ServerlessGoat?

The application is a service based entirely on AWS Lambda, which receives a URL to a MS-Word document, and will reply with an HTML page containing the extracted text.

The vulnerabilities that are included were taken from the Serverless Security Top 10 Guide, available through the following GitHub repository, and include:

  • Event-data injection (SAS-01)
  • Insecure Serverless Deployment Configuration (SAS-03)
  • Over-privileged function permissions & roles (SAS-04)
  • Inadequate function monitoring and logging (SAS-05)
  • Insecure 3rd Party Dependencies (SAS-06)
  • Application layer Denial of Service (SAS-08)
  • Improper exception handling and verbose error messages (SAS-10)
  • And a few undisclosed vulnerabilities, left as a bonus.

Deploying and Using OWASP ServerlessGoat

The installation of ServerlessGoat was created with simplicity as a key principle. Unlike previous "Goat" applications, ServerlessGoat only requires a single-click to get deployed in your AWS account, which makes getting up and running a smooth experience.

Click to Deploy

Deployment steps:

  1. Make sure you are logged into your AWS account
  2. Click on the following link: AWS Serverless Application Repository
  3. Click "Deploy"
  4. Click "Deploy" (again)
  5. Wait until you see the message: "Your application has been deployed"
  6. Click on "View CloudFormation Stack"
  7. Under "Outputs" you will find the URL for the application (WebsiteURL)

If you don't own an AWS account, you can always use the version hosted by PureSec at https://www.serverless-hack.me/

Need a Cheat-Sheet? How About the Source Code?

As with all OWASP projects, ServerlessGoat is open source under the AGPLv3 license, so you can learn from the source code available in the following Github repo. The project also includes a cheat-sheet under the Lessons.md file.

Join us in exploring application and infrastructure changes required for running scalable, observable, and portable apps on Kubernetes.

Topics:
owasp ,serverless ,serverless application model ,security awareness ,cloud ,cloud security ,open source

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}