‘Damn Vulnerable’ Training Apps Leave Vendors' Clouds Exposed

Training Apps: A Doormat into the Enterprise Cloud

Security vendors are inadvertently exposing their cloud infrastructure through publicly accessible, deliberately vulnerable training applications. Researcher Noam Yaffe discovered over 1,900 active instances of these applications – including Hackazon, OWASP Juice Shop, and DVWA – running on AWS, GCP, and Azure.

These training apps, designed for cybersecurity skill development, often contain overly permissive IAM roles, granting attackers access to sensitive cloud resources. The potential damage includes complete cloud environment compromise, as demonstrated by successful breaches of major security vendors like F5, Cloudflare, and Palo Alto Networks.

Why This Matters

Organizations often prioritize the development of secure products while overlooking the security of internal training environments. This creates a significant blind spot, as these applications can act as easy entry points for attackers, bypassing traditional security measures. The cost of a breach stemming from a training app could easily reach millions of dollars in remediation, fines, and reputational damage.

Key Insights

• 1,926 active, accessible vulnerable apps: Discovered across AWS, GCP, and Azure as of January 2026.
• Overpermissioned IAM Roles: A common misconfiguration granting attackers excessive cloud access.
• Cryptomining as Initial Access: 20% of DVWA instances showed evidence of XMRig cryptomining, indicating attacker presence.

Practical Applications

• Use Case: Security companies utilize vulnerable apps for red team training, but fail to adequately isolate them from production environments.
• Pitfall: Deploying training applications with overly broad IAM permissions can lead to complete cloud account compromise.

References:

• https://www.darkreading.com/application-security/vulnerable-vendors-training-apps