Attack and Defence in AWS: Chaining vulnerabilities to go beyond the OWASP Top 10

Date 13-08-2020 Time: 10.00 AM to 2.00 PM IST Fee: $530

Venue: Website
aevent Security Event - Attack and Defence in AWS: Chaining vulnerabilities to go beyond the OWASP Top 10

Event Duration: 4 Days

Attacking the most popular cloud provider - AWS, requires the knowledge of how different services are setup, what defences do we need to bypass, what service attributes can be abused, where can information be leaked, how do I escalate privileges, what about monitoring solutions that may be present in the environment and so on! We try to answer these questions through this training which will attempt to take you on a journey as an attacker, focused on breaking apps and servers in AWS through various interactive and hands-on scenario driven labs.

As an attacker or defender, if you have ever asked any of the following, this training is for you:

  • Is there a process to attacking the cloud or do we go after the services as and when they are discovered?
  • Is SSRF the only vulnerability to access the metadata service on EC2?
  • How do I use stolen AWS secret keys to attack further?
  • How do I hide or cover my tracks in an AWS environment?
  • If I can’t see a service due to a security group, can I still attack it?
  • How do I create better wordlists to discover and exploit S3 buckets?
  • Can I impersonate other users within AWS?
  • Is there a way to extract secrets from AWS Lambda?
  • How do I prevent credential compromise in AWS?
  • How do I enumerate and move between accounts that are part of AWS organisations?

As part of the training, students will learn to enumerate, exploit and pivot across AWS. The training is created using real world attacks and exploit scenarios and news worthy AWS data breaches that stole the headlines the last couple of years.

The training will teach you the tools and techniques to find vulnerabilities across common services, uncommon endpoints and chain them to perform post exploitation within AWS truly going beyond the OWASP Top 10.

Course Outline

The following section lists the topics that will be covered. The topics listed below will be hands-on in nature and the trainers will assist the students to complete the exercises as they are built.

  • Getting started and setting up
    As attackers we need to ensure we have all the tools and access to our targets. We will setup the attacker machine and deploy our target infrastructure for the training
    • Setting up the student virtual machine
    • Setting up users in the AWS cloud environment
    • Configuring access for CLI
    • Creating the attacker infrastructure
    • Verifying the setup and getting started with the attacks
  • Scenario 1 – Misconfigured IAM and a confusing SSRF
    This scenario covers an exploitation setup where the attacker will first gain access to data from a web application, use that information to construct additional payloads to gain access to EC2 and then move into the cloud layer.
    • Web Application Vulnerabilities from an AWS perspecitve
    • Abusing IMDSV2 to gain privileged access to instances
    • AWS Enumeration for post exploitation
    • Privileged command execution to protected EC2
    • Defence discussions and proof of concept
  • Scenario 2 - The OSINT to Shell Story
    This scenario covers various information gathering techniques that can be used to identify vulnerable AWS instances and services and use that to gain access to data and the get a foothold into the cloud layer.
    • OSINT techniques to identify exposed services of an organisation
    • Using OSINT to perform Internet scale recon
    • Creating custom wordlists based on target profiles
    • Enumerating and exploiting S3 buckets using insecure policies and ACLs
    • Tools and techniques for discovering, stealing AWS security credentials
    • Enumerating AWS infrastructure using stolen access security credentials
    • Privilege escalation using mis-configured IAM roles
    • Defence discussions and proof of concept
  • Scenario 3 – A WAF, an SSRF and a protected S3
    This scenario will walk you through the events of the CapitalOne breach and how the attacker went from no access to privileged access to data in a protected S3 bucket.
    • OSINT techniques to identify email accounts of an organisation
    • Bypassing WAF to perform SSRF attacks
    • Abusing access to identify AWS services
    • Gaining access to S3 buckets
    • Password cracking for protected content
    • Defence discussions and proof of concept
  • Scenario 4 - A vulnerable lambda, tokens and RDS
    This scenario covers the attacks on a product that uses AWS services to process information. the attacker will use some reverse engineering, attacks on a lambda endpoint and work with database information leaked from there to extract data from an AWS RDS.
    • Proxying thick client traffic
    • Attacking lambda to leak information
    • Attacking RDS from lambda
    • Staying stealthy by disrupting logging
    • Defence discussions and proof of concept
  • Scenario 5 - Hidden Secrets, S3 and Stealing EBS
    This scenario covers the path an attacker takes to identify misconfigurations in web applications and AWS S3 to allow access to data along with privileged access to EC2 snapshots that leads to additional credential and data theft
    • Identifying AWS S3 usage in web applications
    • A primer on JavaScript analysis to identify security weaknesses
    • Gaining access to the cloud layer
    • Analysis of EC2 snapshots to find saved, shared secrets
    • Additional shell access to internal networks via pivoting
    • Defence discussions and proof of concept

Capture the flag

We will end the training with a hands-on CTF for all the attendees. The challenges are meant to evaluate key concepts and skills that you would have gained over the course of 2 days of the training. By repeating them in a challenge format you will be able to self-evaluate how much of the knowledge has been retained and what are the concepts that you need to practice more.

  • Hands on challenges for the attendees
  • Walkthrough of all challenges

Who should attend?

  • Pentesters and Security Testers
  • Security Professionals
  • Cloud/IT Professionals
  • DevSecOps Professionals


The pre-requisites are very minimal. The way our training is designed, a basic understanding of the following concepts can get you up and running through the exercises in no time

  1. Familiarity with the AWS console - The console is very intuitive and can be used by folks who have never seen it before
  2. Familiarity with Security Testing Basics like XSS, SQL Injection etc. - We will be using multiple common security weaknessesses to provide us with a foothold into AWS
  3. Some experience with using tools like nmap and Burp - We will be sparingly using these tools and even when we are, the steps are all documented :)
  4. Comfortable with having used a terminal program like cmd or bash. We will be running some commands over SSH and bash. Again, this is documented!
  5. Basics of HTTP and JavaScript - If you know how to view source and search through web pages, you are already setup
  6. Basics of networking - If you know to ping and find your IP address using the command line, you are good to follow what's happening in class

Hardware and Software Requirements

    • Laptop with a modern OS Windows 10/OSX/Linux
    • At least 8 GB RAM and 30 to 40 GB of disk space free - we will be running a virtual machine
    • Updated browsers such as Chrome, Firefox
    • Ability to connect to a wireless/wired network
    • Most important - A working AWS account activated for payments - Login into AWS > Go to Services > EC2. If you don't see any errors, you should be good to go!

What not to expect

      • DevOps concepts
      • How to build out cloud infrastructure
      • A lot of theory

Student Giveaways

    • Complete training hands-on guide.
      • This will be in an e-book formats such as ePub, Mobi, PDF
    • References and links for further studying
    • One-month access to exclusive training slack channel
        • This is to ensure that if you are practicing after the class, you have us available to guide and answer questions
        • This also provides a platform for class to continue the discussions online

      About Trainer

      Riyaz Walikar currently works as the Head of Security Research and Testing at Appsecco. His team primarily works on identifying vulnerabilities in cloud solutions, container technologies, web app frameworks, maritime systems and anything else that can be reused by the larger security community. In the past, he has led multiple security testing teams, including the one at Appsecco which is responsible for the assessment and delivery of Web, Mobile Application, Infrastructure and Cloud Security Testing engagements.

      Riyaz is an OSCP and CREST certified web application and network pentester, security evangelist and researcher. He has been active in the security community for the better part of the last 13 years. He has been actively involved with the Bangalore OWASP and null chapter for the last 7 years and is one of the OWASP Bangalore chapter leads.

      Riyaz is also a frequent speaker at security events and conferences around the world including BlackHat, nullcon, c0c0n, xorconf and OWASP AppsecUSA. When he is not writing/breaking code, you can find him sleeping, playing football, reading or fishing.

        • Some of the trainings/workshops by Riyaz Walikar include:
          • Web Security Testing 101 at Govt. Dept., Bangalore 2017
          • Xtreme Web Hacking at nullcon Goa 2012, 2013, 2014, 2015, 2016
          • Cloud Security for Devs & Ops – nullcon 2017
          • Breaking and Pwning Apps and Servers on AWS - nullcon 2018, nullcon 2019, nullcon 2020
          • Attack and Defence in AWS: Chaining vulnerabilities to go beyond the OWASP Top 10 - TROOPERS20 (Coming Up)
          • Ninja Level Infrastructure Monitoring – DefCon 2016
          • Xtreme Web Hacking (CTF Style) – c0c0n 2015, 2016, 2017
          • Secure Web Programming 2-day training at HackerRank Bangalore 2017
          • Some of the talks given by Riyaz Walikar include
          • A Pentester's Methodology to Discover and Exploit Windows Privilege Escalation flaws – c0c0n 2015, nullcon 2016
          • Esoteric XSS Payloads – c0c0n 2016
          • The Whys and Hows of Cyber Attacks – Keynote at SAP Security Summit, Bangalore 2016
          • Pentesting an ELK Stack – DevOpsDays India, Bangalore 2016
          • Poking Servers with Facebook – AppsecUSA 2012, BlackHat Abu Dhabi 2012, c0c0n 2013
          • Threats with Online Gaming – c0c0n 2017
          • Safety Not Guaranteed - JSFoo 2017
          • Captain Marvellous JavaScript - A look at how hackers use JS - JSFoo Coimbatore 2019
          • Raining Shells in AWS by chaining vulnerabilities - OWASP Bay Area August 2019
          • API Security Testing - null Bangalore January 2020 meetup

More information Source: