GCPGoat

GCPGoat is an intentionally vulnerable Google Cloud Platform (GCP) infrastructure designed for educational purposes, particularly for understanding and practicing cloud security, penetration testing, and identifying common misconfigurations. Developed by INE, it features the latest OWASP Top 10 web application security risks from 2021 and other common misconfigurations based on services like IAM, Storage Bucket, Cloud Functions, and Compute Engine. The infrastructure is designed to mimic real-world setups but with added vulnerabilities.

GitHub

URL: Link to Repository
Stars: 309
Forks: 60
Last Updated: 17 Jan 2024 - 21:08

Category

GCP - IaC

Features

  1. Vulnerabilities: It encompasses significant vulnerabilities including OWASP TOP 10 2021, and popular cloud misconfigurations like XSS, Insecure Direct Object reference, Server-Side Request Forgery on Cloud Function, Sensitive Data Exposure and Password Reset, Storage Bucket Misconfigurations, and IAM Privilege Escalations.

  2. Infrastructure as Code (IaC): GCPGoat uses Terraform to deploy the vulnerable cloud infrastructure on the user’s GCP account, giving them complete control over code, infrastructure, and environment.

  3. Learning Opportunities: It provides a platform to learn and practice cloud pentesting/red-teaming, auditing IaC, secure coding, and detection and mitigation of vulnerabilities.

  4. Modular Design: The project is divided into modules, each featuring a separate web application with varied tech stacks and development practices, facilitating focused learning on specific aspects of cloud security.

  5. Real-world Mimicry: GCPGoat mimics real-world infrastructure with vulnerabilities, offering a realistic environment for understanding and practicing cloud security.

  6. Prerequisites and Installation: To use GCPGoat, a user needs a GCP account with administrative privileges. The installation process is straightforward, involving cloning the repository, configuring GCP user account credentials, and deploying using Terraform.

  7. Practical Scenarios: The tool allows users to practice scenarios such as attacking Google Compute Engine, SQL Instance, Google Kubernetes Engine, and Google Cloud Storage, and understanding privilege escalation in a cloud environment.

Last updated on Dec 26, 2023