Almost nobody outside heavy cloud CI/CD has heard of it, but the pros doing a lot of cloud-native and containerized workloads (Kubernetes) especially in DevOps-heavy organizations, rely on it frequently because it provides insight into cloud-specific attack vectors that are often overlooked by traditional security tools. It’s no secret that misconfigurations in cloud resources are the leading cause of breaches, and Stratus helps narrow the focus by targeting these vulnerabilities directly.
Use case: Simulate adversary behavior targeting Amazon EKS clusters, particularly focusing on T1543.003 (Create or Modify System Process: Kubernetes). This technique involves exploiting misconfigurations in EKS clusters to gain unauthorized access or escalate privileges by modifying or creating new Kubernetes pods and was contributed by community user Dakota Riley.
GD-Thief
Ever been lost in the maze of Google Drive, overwhelmed by endless files, folders, and subfolders, wishing you could just “ls -l” them all? Enter GD-Thief. It is an open-source tool that enumerates and scrapes Google Drive for publicly accessible files. It’s ideal for discovery and SA on documents, spreadsheets, or other sensitive data left in shared drives.
For cloud OSINT, Google Drive is a treasure trove of information, if you can find it. While tools like SpiderFoot provide broader OSINT capabilities, GD-Thief gives pentesters a targeted way to enumerate specific cloud storage assets.
Use case: Use GD-Thief to scrape publicly accessible files that could reveal credentials or internal documents, potentially leading to further exploitation.
DVWA (Damn Vulnerable Web Application)
DVWA is a deliberately vulnerable web application designed to provide a safe space for security professionals and aspiring pentesters to practice and refine their web application penetration testing skills. It has multiple levels of vulnerability (low, medium, high, and impossible) to help users test a wide range of skills including SQL injection, cross-site scripting (XSS), file inclusion, and command injection.
While widely known in boot camps and training classes, DVWA is often overlooked by more experienced pentesters who turn to more complex tools. However, it remains a relevant platform for testing and refining skills from script kiddies to advanced operators. DVWA is also self-hosted, lessening the likelihood you’ll scope creep or test something you’re not permitted to touch (BBP/VDPs anyone?). Any hypervisor can help you partition resources necessary to host it.
Use case: Pentesters can practice exploiting CVE-2018-6574 (Remote Code Execution via improper input validation). In DVWA’s “command execution” module, you can inject shell commands via a form input and elevate to remote command execution. This exercise allows pentesters to better understand the techniques attackers use to gain remote control over web servers.
Hackazon
Hackazon is another vulnerable web application designed to simulate a real-world e-commerce site with modern web technologies. Developed by Rapid7, it provides a realistic environment for security professionals to test vulnerabilities commonly found in dynamic web applications, including RESTful API misconfigurations, SQL injection, XSS, and client-side vulnerabilities. Hackazon is excellent for mimicking the complexity of modern web apps used by organizations today.
Hackazon replicates a full, real-world dynamic shopping site with various modern vulnerabilities that aren’t always found in other training environments, but it’s often overshadowed by DVWA and other vulnerable web apps due to its more complex setup. But if you’re looking to beef up on API and client-side skills, it’s a great place to start.
Use case: Hackazon can be used to test for SQL injection vulnerabilities (CVE-2019-12384) by targeting the application’s product search feature. Pentesters can inject malicious SQL queries via the search form to retrieve sensitive customer data like payment details. Additionally, the inclusion of an API makes it an ideal platform for API-based testing and exploiting improper authorization or input validation.