Cloud & Web App Pentesting Resources
A collection of resources I've found to be useful for upskilling in cloud and web-app penetration testing
Dusting this blog off and putting it to use...
It's been a while since I posted anything. I've been fairly heads down in studying, training, and other certifications. I don't need to bore you with the details, but I recently just pass my GCPN certification (GIAC Cloud Penetration Tester). As someone who uses discord kinda sparingly, I thought I might write up some good resources I've found that are useful to help folks in upskilling - specifically in Cloud- and Web-App pentesting. I'm trying to gain skills in those areas, as it's my preferred long term area of focus as a pentester. This might be a regurgitation of information you already know, but I'm trying to build the habit of blogging more, and this hopefully will get me off my butt and post my 2023 HHC (4 months later... Santa will not be pleased 🤣).
I might update this as time goes on. Also full caveat - some of the resources may be redundant, and reference one another. However, I'm specifically calling out resources I've heard as recommended from peers and around the interwebs.
Free(ish) Resources
Cloud Penetration Testing
Some of these cloud pentesting resources mentioned technically aren't free, as some require you to actually work in the cloud, so you're going to be paying for the resources you spin up. That being said, it should be relatively cheap, at least compared to a SANS course.
Cloud Agnostic
- Aman Hardikar's Hacking Challenges Mind Map - wealth of knowledge with MANY resources, I believe this was created in the 2015/2016 time frame though, so some links may not work. - https://www.amanhardikar.com/mindmaps/Practice.html
- CloudFoxable - Gamified hacking sandbox from the folks over at BishopFox. Free, and a discord server to help nudge you along the way. https://cloudfoxable.bishopfox.com/
- BadPods - Understand the impacts of Kubernetes pod misconfigurations, with BishopFox's BadPods. Plenty of documentation for each of the 8 use cases, starting with their blog post, where you can also find the GitHub repo. https://bishopfox.com/blog/kubernetes-pod-privilege-escalation
- kCTF - Google's Kubernetes CTF: https://google.github.io/kctf/
- TerraGoat - Learn the impacts of misconfigurations in Terraform. Can be configured in AWS, Azure or GCP. GitHub: https://github.com/bridgecrewio/terragoat
- CI/CD Goat - learn & practice CI/CD misconfiguration impacts. Covers the OWASP Top 10 CI/CD Security Risks. GitHub: https://github.com/cider-security-research/cicd-goat
AWS
- CloudGoat - Vulnerable by design AWS deployment tool. Awesome walkthroughs that are already documented in the repo. https://github.com/RhinoSecurityLabs/cloudgoat
- IAM Vulnerable - another great BishopFox resource which helps you hone your AWS IAM privesc skills. Technically in the paid section, since you'll have to pay for the AWS resources. Should be relatively affordable, especially if you tear down resources as you're not using them. https://github.com/BishopFox/iam-vulnerable
Azure
- PurpleCloud - Terraform Code generator to create different Azure Security Labs. The documentation site (https://www.purplecloud.network) does a great job of explaining use cases. GitHub: https://github.com/iknowjason/PurpleCloud
- BadZure - PowerShell script that spins up Azure AD Tenants, with security misconfigurations with multiple attack paths. GitHub: https://github.com/mvelazc0/BadZure
- AzureGoat - if you couldn't tell, Goats are popular here. Misconfigured Azure environment. GitHub: https://github.com/ine-labs/AzureGoat
- Azure Workshop - Mandiant's vulnerable by design Azure lab with common misconfigurations. GitHub: https://github.com/mandiant/Azure_Workshop
Web App Penetration Testing
- Aman Hardikar's Hacking Challenges Mind Map - mentioned above in the cloud penetration testing section, but has a ton more resources for Web Apps. https://www.amanhardikar.com/mindmaps/Practice.html
- Natas - from the folks that brought you overthewire and taught millions (maybe even you!) to get familiar with the Linux CLI. This is their take on web apps. Tons of walkthroughs already exist online as well. https://overthewire.org/wargames/natas/
- PortSwigger Academy - BurpSuite's creators have a wealth of knowledge on web app penetration testing. They've recently (as of late 2023/early 2024) have begun to revamp their learning modules. They also continually add content, like about LLMs given the AI craze, which is helpful! Link: https://portswigger.net/web-security
- More to come... need to dig up some more resources from my notes!
Paid Resources
Will populate this section as I'm completing some online courses. Stay tuned!