fwd:cloudsec 2023

fwd:cloudsec 2023

Scanning the internet for external cloud exposures
06-12, 15:50–16:10 (US/Pacific), Salon C

Remote hacking of traditional web applications is a widely-discussed topic with many tools and resources. However, penetration testing of publicly exposed cloud resources remains uncharted territory. Many devastating configuration mistakes can go unnoticed simply because of a lack of proper scanning tools. In this talk, we will demonstrate practical approaches to scanning and exploiting exposed cloud resources by showcasing newly developed methodologies for discovering these issues from external sources.

This session will cover several cloud services that may be erroneously configured as publicly accessible, including AWS and Azure's queues, notification channels, managed identity providers, and different managed storage. We will examine how each of these services can inadvertently be made available to the public, how to scan for them externally, and potential exploitation methods.

Furthermore, we will provide statistics on the prevalence of exposed services found on the internet and our assessment of the issue's scale.

Join us to learn how to scan and map any organization's external cloud exposure, finding misconfigurations and vulnerabilities at scale.

Nir Ohfeld is a 25-years-old senior security researcher at Wiz. Ohfeld focuses on cloud-related security research and specializes in research and exploitation of cloud service providers, web applications, application security, and in finding vulnerabilities in complex high-level systems. Ohfeld and his colleagues disclosed some of the most notable cloud vulnerabilities, including ChaosDB and OMIGOD.

Hillai Ben-Sasson is a security researcher based in Israel. As part of the Wiz Research Team, Hillai specializes in research and exploitation of web applications, application security, and finding vulnerabilities in complex high-level systems.