Home

Awesome

Introduction

Thank you for using OWASP ServerlessGoat! ​ This serverless application demonstrates common serverless security flaws as described in the Serverless Security Top 10 Weaknesses guide https://github.com/puresec/sas-top-10. ​

ServerlessGoat was created for the following educational purposes:

You can find more information about WebGoat at: https://www.owasp.org/index.php/OWASP_Serverless_Goat

​WARNING 1: This application contains vulnerabilities. Use it only for training purposes.
WARNING 2: This program is for educational purposes only. Do not attempt these techniques without authorization from application owners. ​

NOTE: The application was developed in such way that should not put your AWS account at risk. The vulnerabilities that were introduced are contained within the boundaries of this specific application. Nevertheless, users are not encouraged to deploy the application in production environments.

Deployment

ServerlessGoat is a simple AWS Lambda application, which serves as a MS-Word .doc file to plain text converter service. It receives a URL to a .doc file as input, and will return the text inside the document back to the API caller. ​ The application is packaged and published for deployment through the AWS Serverless Application Repository. ​ Steps for deployment:

  1. Make sure you are logged into your AWS account
  2. Click on the following link: AWS Serverless Application Repository
  3. Click 'Deploy'
  4. Click 'Deploy' (again)
  5. Wait until you see the message 'Your application has been deployed'
  6. Click on 'View CloudFormation Stack'
  7. Under 'Outputs' you will find the URL for the application (WebsiteURL) ​

Cheat-Sheet

The full walkthrough of the lessons (under development) can be found in the LESSONS.md file

The following security issues exist in the application: ​

Acknowledgements

ServerlessGoat was initially created and contributed to OWASP by Yuri Shapira & Ory Segal, PureSec. ​