You’ve learned individual AWS exploits and pentesting techniques. But how do you put it all together? Enter AWSGoat: a deliberately vulnerable AWS infrastructure featuring OWASP security risks and misconfigurations based on AWS services.

In other words, AWSGoat is a realistic training ground for AWS exploitation techniques. As long as you have an AWS account with administrative privileges, you can deploy AWSGoat and pentest it to your heart’s content. A similar project for Azure - AzureGoat - is also now available to the community. 

A realistic training environment

With AWS and Azure evolving constantly, companies are often unable to keep up with new vulnerabilities. Featuring the latest exploits, AWSGoat and AzureGoat provides a realistic training ground for security professionals, according to Jeswin Mathai, INE’s Chief Architect for Lab Platforms. “AWSGoat bridges the gap between training and the real world by mimicking real-world infrastructure,” said Mathai. “In our previous AWS Security bootcamps, we taught individual exploit techniques. But there wasn’t an actual training ground where students could put it all together. With this tool, we’ve filled that void.”

Indeed, AWSGoat’s first module features a serverless blog application utilizing AWS Lambda, S3, API Gateway, and DynamoDB. This application consists of the latest OWASP (2021) vulnerabilities and contains other misconfigurations based on AWS services. At the time of writing, there is no other project that focuses both on the OWASP Top 10 (2021) and AWS.

The AWSGoat interface, featuring a serverless blog application.

Developed with ❤️ by INE

AWSGoat was built by our very own (and very stellar) lab platform team, to contribute back to the security community. Its name stems from OWASP’s WebGoat and WebWolf projects, where WebGoat – representing prey — is easily targetable by WebWolf, which represents an attacker machine.

The team also made special efforts to ensure the realism of both deliberately vulnerable infrastructures. “We looked at the most common attacks that occur in cloud deployments, and the context in which they occurred,” said Mathai. “To make AWSGoat and AzureGoat as realistic as possible, our team weaved these common exploits into everyday WebApps — you’ll notice that the first module simulates our company blog.” 

An overview of the different escalation paths in AWSGoat. Besides the frontend blog application, an attacker can leverage misconfigurations in the various AWS services used.

The future for AWSGoat

AWSGoat has already gained traction and garnered positive reception from the community. It has been presented at conferences such as BlackHat USA 2022, at the OWASP Singapore Chapter and DEF CON 30’s Demo labs.

Although in their infancy, the team has ambitious plans for AWSGoat and AzureGoat. The next module is already under development and will feature an internal HR Payroll application, utilizing AWS ECS infrastructure. Future editions include defense/mitigation aspects including Security Engineering, Secure Coding, and Monitoring and Detecting Attacks. Similar modules are in the roadmap for AzureGoat as well. “People will learn to exploit vulnerabilities, patch misconfigurations and coding flaws, and use monitoring services to detect attacks — all in one environment,” said Mathai. “This will be a massive project in years to come.”

***

Interested in trying AWSGoat for yourself? Check out the GitHub repo here, or refer to the solutions here.