Introduction

What?

Notes on techniques used for:

• Leveraging cloud vulnerabilities identified to successfully penetrate security controls, using mostly manual attacks with only some semi-automated support.

• Gaining access to cloud application data and/or permissions (access) not previously available.

Note: Exploitation of web services may not be possible given the security controls present, the complexity of the attack (undocumented, or not enough documentation/context), and the time allotment for testing.

Why?

To overcome the challenges to build a meaningful and sustainable cloud testing practice.

How?

• Challenges and problems

• Account and privilege attacks

• Cloud-centric attacks

• Abusing misconfigurations

• Hacking CI/CD pipelines