English | 中文
Terraform Goat is HuoXian research team' "Vulnerable by Design" multi cloud deployment tool.
Currently supported cloud vendors include Alibaba Cloud, Tencent Cloud, Huawei Cloud, Amazon Web Services, Google Cloud Platform, Microsoft Azure.
| ID | Cloud Service Company | Types Of Cloud Services | Vulnerable Environment |
|---|---|---|---|
| 1 | Tencent Cloud | Object Storage | Bucket Object Traversal |
| 2 | Tencent Cloud | Object Storage | Unrestricted File Upload |
| 3 | Alibaba Cloud | Object Storage | Bucket Object Traversal |
| 4 | Alibaba Cloud | Object Storage | Object ACL Writable |
| 5 | Alibaba Cloud | Object Storage | Special Bucket Policy |
| 6 | Alibaba Cloud | Object Storage | Unrestricted File Upload |
| 7 | Huawei Cloud | Object Storage | Object ACL Writable |
| 8 | Huawei Cloud | Object Storage | Special Bucket Policy |
| 9 | Huawei Cloud | Object Storage | Unrestricted File Upload |
| 10 | Huawei Cloud | Object Storage | Bucket Object Traversal |
| 11 | Amazon Web Services | Object Storage | Bucket Object Traversal |
| 12 | Amazon Web Services | Object Storage | Special Bucket Policy |
| 13 | Amazon Web Services | Object Storage | Unrestricted File Upload |
| 14 | Amazon Web Services | Object Storage | Object ACL Writable |
| 15 | Amazon Web Services | Elastic Computing Service | EC2 SSRF |
| 16 | Google Cloud Platform | Object Storage | Bucket Object Traversal |
| 17 | Google Cloud Platform | Object Storage | Object ACL Writable |
| 18 | Google Cloud Platform | Object Storage | Bucket ACL Writable |
| 19 | Google Cloud Platform | Object Storage | Unrestricted File Upload |
| 20 | Microsoft Azure | Object Storage | Blob Public Access |
Terraform Goat is built using Dockerfile, so you need to install the Docker environment first. For the Docker installation method, please refer to: https://docs.docker.com/get-docker/
git clone https://github.com/HuoCorp/TerraformGoat.git
cd terraformgoat
docker build -t terraformgoat:v0.1 .
After docker build is complete, start and enter the container
docker run -itd --name terraformgoat terraformgoat:v0.1
docker exec -it terraformgoat /bin/bashWhen entering the container, you need to select the cloud service to run
After selecting the cloud service you want to use, the relevant dependencies will be installed. After the relevant dependencies are installed, you can use terraformgoat.
docker stop terraformgoat
docker rm terraformgoat
docker rmi terraformgoat:v0.1- The README of each vulnerable environment is executed within the terraformgoat container environment, so the terraformgoat container environment needs to be deployed first.
- Due to the horizontal risk of intranet horizontal on the cloud in some ranges, it is strongly recommended that users use their own test accounts to configure the ranges, avoid using the cloud account of the production environment, and install Terraform Goat using Dockerfile to isolate the user's local cloud vendor token and the test account token.