- phone-home-listener. HTTP endpoint logging all incoming requests and their parameters, query string and bodies. Attacker-owned resource.
- compromised-npm-package. Useful NPM package that was hacked and had malicious code injected. 3rd party-owned, compromised by the attacker.
Application examples, from vulnerable to protected:
- leak-env-vars-poc. Vulnerable Lambda function that uses compromised-npm-package. Leaks environment variables. Part of the application.
- leak-env-vars-poc-fetch-secrets-runtime. Improved Lambda function that doesn't leak app secrets directly. Still leaks temporary credentials. Part of the application.
- leak-env-vars-poc-outbound-blocked. Further improved Lambda function that has no oubound connection to the Internet. Doesn't leak any secrets. Part of the application.
- leak-env-vars-poc-fetch-secrets-runtime. Lambda function that has outbound connection to the Internet and whitelists allowed destinations. Part of the application.
Each of the applications has function code in
lambda folder and infrastructure scripts in the
Example usage. This deploys both cloud resources and the code:
aws configure # skip if AWS credentials are already set