CloudFoxable: Open-source AWS penetration testing playground
CloudFoxable is a capture-the-flag (CTF) style learning platform you can deploy to your playground AWS account. It primarily targets current penetration testers seeking to learn exploitation of cloud-native attack paths, and cloud security experts aiming to practice offensive security techniques safely.
“What makes it unique is the design principle of starting from the beginning so that everyone can complete at least a few challenges and build up slowly. There are currently 19 individual challenges you can solve. Still, the first few start very simply,” Seth Art, the creator of CloudFoxable and Principal Security Consultant at Bishop Fox, told Help Net Security.
“The first challenge involves grabbing a secret out of Secrets Manager – because, honestly, on some penetration tests we perform, the easiest path is sometimes the most impactful. Let’s say a developer has access to all the secrets in the Secrets Manager service in the development AWS account, but someone stored secrets for the production environment there. This might mean that any developer accessing the development AWS account can access production data and more. For some organizations, that might be a high-severity finding depending on what secrets are stored in Secrets Manager or what data is in the production account,” Art added.
The future plan for CloudFoxable involves creating challenges with attack paths that span multiple accounts to teach players about the common misconfigurations to watch out for.
CloudFoxable is available for free on GitHub.
More to consider: