Giter VIP home page Giter VIP logo

gcpgoat's Introduction

GCPGoat : A Damn Vulnerable GCP Infrastructure

Compromising an organization's cloud infrastructure is like sitting on a gold mine for attackers. And sometimes, a simple misconfiguration or a vulnerability in web applications, is all an attacker needs to compromise the entire infrastructure. Since the cloud is relatively new, many developers are not fully aware of the threatscape and they end up deploying a vulnerable cloud infrastructure.

GCPGoat is a vulnerable by design infrastructure on GCP featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as IAM, Storage Bucket, Cloud Functions and Compute Engine. GCPGoat mimics real-world infrastructure but with added vulnerabilities. It features multiple escalation paths and is focused on a black-box approach.

GCPGoat uses IaC (Terraform) to deploy the vulnerable cloud infrastructure on the user's GCP account. This gives the user complete control over code, infrastructure, and environment. Using GCPGoat, the user can learn/practice:

  • Cloud Pentesting/Red-teaming
  • Auditing IaC
  • Secure Coding
  • Detection and mitigation

The project will be divided into modules and each module will be a separate web application, powered by varied tech stacks and development practices. It will leverage IaC through terraform to ease the deployment process.

Hits

Developed with ❤️ by INE

drawing

Built With

  • Google Cloud Platform (GCP)
  • React
  • Python 3
  • Terraform

Vulnerabilities

The project is scheduled to encompass all significant vulnerabilities including the OWASP TOP 10 2021, and popular cloud misconfigurations. Currently, the project contains the following vulnerabilities/misconfigurations.

  • XSS
  • Insecure Direct Object reference
  • Server Side Request Forgery on Cloud Function
  • Sensitive Data Exposure and Password Reset
  • Storage Bucket Misconfigurations
  • IAM Privilege Escalations

Getting Started

Prerequisites

  • A GCP Account with Administrative Privileges

Installation

Manually installing GCPGoat would require you to follow these steps:

(Note: This requires a Linux Machine, with the /bin/bash shell available)

Step 1. Clone the repo

git clone https://github.com/ine-labs/GCPGoat

Step 2. Configure the GCP User Account Credentials using gcloud CLI

gcloud auth application-default login

Step 3. Insert the Billing Account name in main.tf file

data "google_billing_account" "acct" {
  display_name = "<Your Billing Account Name>"
}

Step 4. In the same working directory use terraform to deploy GCPGoat.

terraform init
terraform apply --auto-approve

Modules

Module 1

The first module features a serverless blog application utilizing Cloud Functions, Cloud Storage Buckets, Compute Engine and Firestore. It consists of various web application vulnerabilities and facilitates exploitation of misconfigured GCP resources.

Escalation Path:

Recommended Browser: Google Chrome

Pricing

The resources created with the deployment of GCPGoat will not incur any charges if the GCP account is under the free tier/trial period. However, upon exhaustion/ineligibility of the free tier/trial, the following charges will apply for the US-East region:

Module 1: $0.03/hour

Contributors

Nishant Sharma, Director, Lab Platform, INE [email protected]

Jeswin Mathai, Chief Architect, Lab Platform, INE [email protected]

Sherin Stephen, Software Engineer (Cloud), INE [email protected]

Divya Nain, Software Engineer (Cloud), INE [email protected]

Rishappreet Singh Moon, Software Engineer (Cloud), INE [email protected]

Litesh Ghute, Software Engineer (Cloud), INE [email protected]

Sanjeev Mahunta, Software Engineer (Cloud), INE [email protected]

Screenshots

Module 1:

Contribution Guidelines

  • Contributions in the form of code improvements, module updates, feature improvements, and any general suggestions are welcome.
  • Improvements to the functionalities of the current modules are also welcome.
  • The source code for each module can be found in modules/module-<Number>/src this can be used to modify the existing application code.

License

This program is free software: you can redistribute it and/or modify it under the terms of the MIT License.

You should have received a copy of the MIT License along with this program. If not, see https://opensource.org/licenses/MIT.

Sister Projects

gcpgoat's People

Contributors

s0ulix avatar nishantsharmax avatar sherinsteph avatar za avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.