Scott, Thanks for creating this! Julien from Mozilla referred this to me back at AppSec and I have been using it as a devops security primer for folks in my org since. Really clever teaching tool. I've had it on my mind to create an Azure equivalent when time permits!
Thanks for putting this together Scott - I remember running through the exercises a year or so ago and realising how awesome some of these mistakes are. I ended up turning the S3 bucket stuff into a conference presentation, after bruteforcing *.s3.amazonaws.com for valid buckets, and checking their permissions/ACLs.
Great for bug bounties, or in UpGuardās situation, a tonne of publicity from private data being accessible from public buckets.
spydum|8 years ago
graystevens|8 years ago
Great for bug bounties, or in UpGuardās situation, a tonne of publicity from private data being accessible from public buckets.