Cloud & Web App Pentesting Resources

A collection of resources I've found to be useful for upskilling in cloud and web-app penetration testing

Dusting this blog off and putting it to use...

It's been a while since I posted anything. I've been fairly heads down in studying, training, and other certifications. I don't need to bore you with the details, but I recently just pass my GCPN certification (GIAC Cloud Penetration Tester). As someone who uses discord kinda sparingly, I thought I might write up some good resources I've found that are useful to help folks in upskilling - specifically in Cloud- and Web-App pentesting. I'm trying to gain skills in those areas, as it's my preferred long term area of focus as a pentester. This might be a regurgitation of information you already know, but I'm trying to build the habit of blogging more, and this hopefully will get me off my butt and post my 2023 HHC (4 months later... Santa will not be pleased 🤣).

I might update this as time goes on. Also full caveat - some of the resources may be redundant, and reference one another. However, I'm specifically calling out resources I've heard as recommended from peers and around the interwebs.

Free(ish) Resources

Cloud Penetration Testing

Some of these cloud pentesting resources mentioned technically aren't free, as some require you to actually work in the cloud, so you're going to be paying for the resources you spin up. That being said, it should be relatively cheap, at least compared to a SANS course.

Cloud Agnostic

AWS

  • CloudGoat - Vulnerable by design AWS deployment tool. Awesome walkthroughs that are already documented in the repo. https://github.com/RhinoSecurityLabs/cloudgoat
  • IAM Vulnerable - another great BishopFox resource which helps you hone your AWS IAM privesc skills. Technically in the paid section, since you'll have to pay for the AWS resources. Should be relatively affordable, especially if you tear down resources as you're not using them. https://github.com/BishopFox/iam-vulnerable

Azure

Web App Penetration Testing

  • Aman Hardikar's Hacking Challenges Mind Map - mentioned above in the cloud penetration testing section, but has a ton more resources for Web Apps. https://www.amanhardikar.com/mindmaps/Practice.html
  • Natas - from the folks that brought you overthewire and taught millions (maybe even you!) to get familiar with the Linux CLI. This is their take on web apps. Tons of walkthroughs already exist online as well. https://overthewire.org/wargames/natas/
  • PortSwigger Academy - BurpSuite's creators have a wealth of knowledge on web app penetration testing. They've recently (as of late 2023/early 2024) have begun to revamp their learning modules. They also continually add content, like about LLMs given the AI craze, which is helpful! Link: https://portswigger.net/web-security
  • More to come... need to dig up some more resources from my notes!

Paid Resources

Will populate this section as I'm completing some online courses. Stay tuned!