Security pros from INE enjoyed a double billing at Black Hat USA yesterday (August 10) as they showcased penetration testing tools AWSGoat and AzureGoat.
Amazon Web Services (AWS) and Microsoft Azure are two of the biggest names in cloud infrastructure, along with Google Cloud Platform (GCP).
With the cloud still a relatively new phenomenon, many developers are not fully aware of the threat landscape and can inadvertently deploy vulnerable cloud infrastructure.
Sometimes a simple misconfiguration or web app vulnerability is all an attacker needs to completely compromise an organization’s environment.
Preemptive attacks
Showcased during the Black Hat Arsenal sessions in Las Vegas this week, AWSGoat and AzureGoat are aimed at providing security enthusiasts and pen testers with an easy-to-deploy vulnerable infrastructure.
Here, they can learn how to enumerate cloud applications, identify vulnerabilities, and chain various attacks to compromise the AWS or Azure account.
The vulnerable-by-design infrastructure showcases the dangers of the OWASP Top 10 web application security threats.
AWSGoat also features misconfigurations based on services such as IAM, S3, API Gateway, Lambda, EC2, and ECS.
While the developers of AWSGoat said there were “numerous tools and vulnerable applications” available for AWS, this is not the case with Azure.
“AzureGoat is our attempt to shorten the gap,” the team from IT and security training firm INE said. “There are far fewer options available to the community.”
The user will be able to deploy AzureGoat on their Azure account using a pre-created Docker image and scripts. Once deployed, the AzureGoat can be used for target practice and be conveniently deleted later.
All the code and deployment scripts for both AWSGoat and AzureGoat have been made open source.
Source: https://portswigger.net/daily-swig/black-hat-usa-deliberately-vulnerable-aws-azure-cloud-infrastructure-is-a-pen-testers-playground