Cloud AuthoriZation Trainer: A simulator of cloud-provider responsible REST APIs
CAZT (Cloud AuthoriZation Trainer)
CAZT (Cloud AuthoriZation Trainer) is a simulator of cloud-provider responsible REST APIs. It includes a lab manual for getting hands-on practice with how to attack authorization vulnerabilities in a cloud API.
It is different from other vulnerable cloud practice environments because it focuses on the cloud-provider shared responsibility instead of the customer. This enables pen testers to gain experience with testing the cloud vendor itself as well as an understanding of what a vulnerable cloud service will look like.
Features
- Interface for using cloud-provider command-line interfaces to practice
- A lab manual with OWASP authorization vulnerability scenarios
- Six API endpoints for vulnerability discovery
Requirements
- The simulator and pen test tools can be run from a single local machine
- Fundamental knowledge of HTTP proxy MitM tools (i.e. Burp)
- Basic experience with using a command-line
- Basic experience with using a cloud-provider’s command-line interface tool
Platforms
Development and testing were done under Ubuntu Linux, but other platforms with at least Python 3.8 should be compatible as well.
