Deliberately vulnerable training applications are widely used for security education, internal testing, and product demonstrations. Tools like OWASP Juice Shop, DVWA, Hackazon, and bWAPP are designed to be insecure by default, so it helps to learn how common attack techniques work in a controlled environment.
The problem is not the applications themselves, but how they are often deployed and maintained in real-world cloud environments.
Pentera Labs investigated how training and demo applications are used across cloud infrastructure and identified recurring patterns. This meant that applications intended for use in isolated labs were frequently found exposed to the public internet, running within active cloud accounts, and connected to cloud identities with broader access than necessary.
Developmental patterns observed in research
Pentera Labs research found that these applications are often deployed with default configurations, minimal isolation, and overly permissive cloud roles. Our investigation found that many of these exposed training environments are directly connected to active cloud identities and privileged roles, allowing attackers to go far beyond the vulnerable application itself and potentially penetrate a customer’s broader cloud infrastructure.
In these scenarios, a single public training application serves as a starting point. Once attackers have access to connected cloud identities and privileged roles, they are no longer constrained by the original application or host. Instead, they can interact with other resources within the same cloud environment, potentially significantly increasing the scope and potential impact of a breach.
As part of the study, Pentera Labs examined nearly 2,000 live public training application instances, nearly 60% of which were hosted on customer-managed infrastructure running on AWS, Azure, or GCP.
Evidence of active abuse
The exposed training environments identified during the investigation were not simply misconfigured. Pentera Labs has observed clear evidence that attackers are indeed actively exploiting this exposure.
Across a broad dataset of publicly available training applications, we found that approximately 20% of instances contained artifacts deployed by malicious actors, including cryptocurrency mining activities, web shells, and persistence mechanisms. These artifacts were indicative of previous compromises and continued exploitation of exposed systems.
The presence of active cryptomining and persistence tools indicates that public training applications are not only discoverable, but are already being exploited at scale.
Scope of influence
The exposure and exploited environments identified during the study were not limited to small or isolated test systems. Pentera Labs has observed this deployment pattern across cloud environments associated with Fortune 500 companies and major cybersecurity vendors such as Palo Alto, F5, and Cloudflare.
Although individual circumstances differed, the basic pattern remained consistent. This means that a training or demo application was deployed without sufficient isolation, remained publicly accessible, and was connected to a privileged cloud identity.
why is this important
Training and demo environments are often treated as low-risk or temporary assets. As a result, they are often excluded from standard security monitoring, access reviews, and lifecycle management processes. Over time, these environments can remain exposed long after their original purpose has passed.
According to the study, exploitation does not require zero-day vulnerabilities or sophisticated attack techniques. Default credentials, known weaknesses, and public exposure were enough to turn the training application into an entry point for widespread cloud access.
Labeling an environment “training” or “testing” does not reduce that risk. When these systems are exposed to the internet and connected to privileged cloud identities, they become part of an organization’s effective attack surface.
Read the full Pentera Labs research blog and join us for a live webinar on February 12th to learn more about the methodology, discovery process, and real-world applications observed during this study.
This article was written by Noam Yaffe, Senior Security Researcher at Pentera Labs. For questions or discussions, please contact labs@penera.io.
Source link
