'Damn Vulnerable' Training Apps Leave Vendors' Clouds Exposed

Training applications like Hackazon and OWASP Juice Shop are deliberately built with exploitable flaws to teach defensive skills. While useful in isolated labs, many organizations spin them up directly on production cloud accounts for convenience, inadvertently exposing the underlying infrastructure. Because these apps inherit the cloud account’s IAM permissions, any breach of the app’s web front‑end can cascade into the cloud’s metadata service, leaking credentials that grant far‑reaching access.

Pentera’s recent research quantified the scope: over 10,000 vulnerable training sites were discovered online, with 1,926 actively reachable. Of the 974 instances running on the three leading cloud providers, 165 were attached to IAM roles and 109 of those roles were over‑privileged, effectively handing attackers administrator rights. The report cites real‑world compromises of high‑profile security vendors—F5, Cloudflare, Palo Alto Networks—demonstrating that even experts can fall prey to this oversight.

The broader implication is a systemic risk that extends beyond the training environment. Enterprises must treat these apps as production assets, enforcing least‑privilege principles, isolating them in separate accounts, and regularly scanning for exposed endpoints. Cloud providers should enhance visibility into over‑permissioned roles tied to publicly accessible services. By tightening governance around vulnerable training tools, organizations can close a covert backdoor that currently offers attackers a direct route into critical cloud workloads.