May 23, 2026
Web-to-Cloud Attack Chains
Phase 2 notes: chaining web vulnerabilities into AWS credential theft, secret discovery, and cloud resource compromise.
research
Phase 2 — Web-to-Cloud Attack Chains
Phase Summary
Completed 6 Red Team labs focused on chaining web-layer weaknesses into cloud credential compromise and AWS data access.
This phase is especially useful because it directly connects web pentesting with cloud security operations.
Learning Objectives
- Chain web vulnerabilities into cloud access paths.
- Understand how temporary or leaked credentials are obtained and abused.
- Practice secret discovery across repositories, build artifacts, and container images.
- Learn practical impact: pivoting from initial web access into AWS resource compromise.
- Build stronger detection and prevention mindset for web-to-cloud attack chains.
Lab Path
| Order | Lab | Type | Summary |
|---|---|---|---|
| 7 | SSRF to Pwned | 🔴 Red | SSRF against an EC2-hosted application to reach metadata service and extract temporary AWS credentials. |
| 8 | Path Traversal to AWS credentials to S3 | 🔴 Red | Use path traversal to recover AWS credentials, then pivot to S3 access. |
| 9 | Hunt for Secrets in Git Repos | 🔴 Red | Identify leaked credentials and sensitive tokens in Git repositories. |
| 10 | Uncover Secrets in CodeCommit and Docker | 🔴 Red | Discover exposed credentials stored in AWS CodeCommit history and Docker images. |
| 11 | Leverage Leaked Credentials for Pwnage | 🔴 Red | Operationalize leaked secrets to access cloud resources and extract sensitive data. |
| 12 | Access Secrets with S3 Bucket Versioning | 🔴 Red | Use S3 object versioning to recover historical secrets and plaintext sensitive fields. |
Key Knowledge After Phase 2
- Web bugs can become cloud compromise vectors when they expose metadata services, local files, or credentials.
- Credential exposure is the core pivot point across repos, containers, and misconfigured storage.
- Temporary credentials are still dangerous if not tightly scoped and monitored.
- Attack chains matter more than single findings, because small web issues can escalate into full cloud impact.
- Prevention requires layered controls: secure coding, secret hygiene, least privilege IAM, and continuous monitoring.