fwd:cloudsec 2023

fwd:cloudsec 2023

Hillai Ben-Sasson

Hillai Ben-Sasson is a security researcher based in Israel. As part of the Wiz Research Team, Hillai specializes in research and exploitation of web applications, application security, and finding vulnerabilities in complex high-level systems.


Session

06-12
15:50
20min
Scanning the internet for external cloud exposures
Nir Ohfeld, Hillai Ben-Sasson

Remote hacking of traditional web applications is a widely-discussed topic with many tools and resources. However, penetration testing of publicly exposed cloud resources remains uncharted territory. Many devastating configuration mistakes can go unnoticed simply because of a lack of proper scanning tools. In this talk, we will demonstrate practical approaches to scanning and exploiting exposed cloud resources by showcasing newly developed methodologies for discovering these issues from external sources.

This session will cover several cloud services that may be erroneously configured as publicly accessible, including AWS and Azure's queues, notification channels, managed identity providers, and different managed storage. We will examine how each of these services can inadvertently be made available to the public, how to scan for them externally, and potential exploitation methods.

Furthermore, we will provide statistics on the prevalence of exposed services found on the internet and our assessment of the issue's scale.

Join us to learn how to scan and map any organization's external cloud exposure, finding misconfigurations and vulnerabilities at scale.

Control & data
Salon C