With the most recent OWASP Top 10 web application security vulnerabilities (2021) and additional misconfigurations based on services like IAM, S3, API Gateway, Lambda, EC2, and ECS, AWSGoat is a vulnerable-by-design infrastructure on AWS. It uses a black-box strategy, several escalation channels, and replicates real-world infrastructure with added faults.
The AWSGoat project was created by the INE team, who also presented it at the OWASP Singapore chapter and at the recent Black Hat 2022 conference. The group also created AzureGoat with Microsoft Azure in mind. The following configuration errors and vulnerabilities are present in both projects:
- XSS
- SQL Injection
- Insecure Direct Object reference
- Server-Side Request Forgery on App Function Environment
- Sensitive Data Exposure and Password Reset
- Storage Account Misconfigurations
- Identity Misconfigurations
An AWS account (or AzureGoat, an Azure account) and an AWS Access Key with Administrative Privileges are required for use of AWSGoat. Users can fork the AWSGoat repo, add their AWS Account Credentials to GitHub Secrets, and execute the Terraform Apply Action in order to use it. The full infrastructure will be deployed via this method, and the hosted application’s URL will also be produced. An alternative is a manual procedure.
Once the project has been deployed, users can utilise a module that includes a serverless blog application that makes use of AWS Lambda, S3, API Gateway, and DynamoDB. The module contains a number of web application bugs and enables the use of incorrectly configured AWS resources. Additionally, a playlist is accessible on YouTube. A serverless blog application using Azure App Functions, Storage Accounts, CosmosDB, and Azure Automation is also included in the AzureGoat. More modules will be added to both projects in the future.