Application Security Security Bloggers Network 
SBN

OWASP ‘ServerlessGoat’: A Vulnerable Demo Serverless Application

by Ory Segal, PureSec CTO on December 18, 2018

vuln-project6
 
Throughout the years, the concept of creating vulnerable applications for learning and demonstrating application security concepts has become common practice. Years ago, OWASP launched the WebGoat project, which has since become the gold standard and to this day is still one of the most popular platforms for teaching web application security.

 

Bring Out the ServerlessGoat

As serverless adoption is expected to continue growing in 2019 and reach new audiences, we see the importance of education on topics such as how to build robust, secure and reliable AWS Lambda serverless applications. This is why we decided it was time to launch a vulnerable serverless application project. This project will hopefully expose developers and security practitioners to basic serverless security concepts, risks, attacks and mitigation best-practices.
 
There were a few key principles that we wanted to follow when designing this demo vulnerable application:
  1. Make the project open source and free for everyone to use
  2. Simple and straightforward deployment
  3. Demonstrate as many serverless security bad practices as possible (we will keep adding more issues, but also hope to see community contributions)
  4. Design the application to be realistic, and include common ‘bad-practices’, rather than forcing it to be vulnerable artificially

Given these key principles, we chose to develop and package the application an AWS SAM application that’s available for deployment through the AWS Serverless Application Repository – however, this meant that we had to use the supported SAM policy templates. While this decision imposes some limitations on what capabilities were available for us, it presented two important benefits:

  1. The application uses “default” serverless application repository permissions, making it more realistic
  2. The deployment doesn’t create custom IAM roles or resource policies, which simplifies the installation, and makes the project more visible in the serverless app repo 

The project is free and open source.

Information About The Application

The application is a service which receives a URL to a Word document (with a .doc extension – Office 97-2004), and will reply with an HTML page containing the extracted text.

The vulnerabilities that are included are (* spoiler alert! *)

  1. Event-data injection, leading to OS command injection (SAS-01)
  2. Improper exception handling and verbose error messages (SAS-10), leading to sensitive information disclosure
  3. Insecure Serverless Deployment Configuration, leading to sensitive data exposure (SAS-03)
  4. Over-privileged function permissions & roles, leading to DB data leakage and S3 bucket data tampering (SAS-04)
  5. Inadequate function monitoring and logging (SAS-05) – the application doesn’t properly log application layer attacks and errors (can be demonstrated through CloudWatch/CloudTrail)
  6. Insecure 3rd Party Dependencies (SAS-06)
  7. Application layer Denial of Service (SAS-08), which can be easily demonstrated
  8. An undisclosed *critical* issue, as a bonus!

Relevant Links

 

*** This is a Security Bloggers Network syndicated blog from PureSec Blog (Launch) authored by Ory Segal, PureSec CTO. Read the original post at: https://www.puresec.io/blog/serverless-goat-launch

Ory Segal, PureSec CTO , , , ,