Cybersecurity
Raining In The Clouds: Penetration Testing Cloud REST API Vulnerabilities
Coalfire’s mission is to strengthen cloud security at all layers. Our application security and penetration testing teams are trained to find weaknesses in the fundamental components of the systems our clients trust and rely upon so the business can successfully manage their risks. We're pleased to contribute, as open source, one of the training resources we use internally to help our consultants develop offensive security skills for penetration testing of REST APIs in the cloud.
Raining In The Clouds
Available on github.com - is a collection of instructive lab manuals and simulation tools for learning how to pen test a cloud REST API. It provides practical, hands-on skill development based on real-world vulnerabilities in authorization, XSS, SQL injection, and more. The current version includes coverage of technologies such as OpenStack, Salesforce, and Google Cloud. The lab structure offers a self-guided walkthrough for setting up tools and completing selected sample exercises.
What Is a REST API?
A cloud REST API is an interface that allows developers to access and manage services or data within a cloud-based platform. APIs enable one application or service to securely access resources within another application, service, or database. They are governed by standard rules that make APIs function in a consistent, predictable way.
Why Pen Test Cloud APIs?
Security news is full of stories about breaches exposing customer information—and not just from small businesses. Major organizations like Juniper Networks, Salesforce, and even Google have made headlines due to vulnerabilities within their cloud APIs.
It’s not that REST APIs are inherently insecure. Their popularity and exposure to the public internet make them larger targets for malicious actors. Before attackers can exploit these weaknesses, Raining In The Clouds helps penetration testers understand the technology and identify risks faster through hands-on practice.
What’s Included
Raining In The Clouds guides users through software configuration, client tool setup, and practical exercises exploring common vulnerabilities such as:
- Cross-site Scripting (XSS) with REST APIs
- Authorization Bypass, including:
- Privilege Escalation
- IDOR / Confused Deputy
- Encrypted Field Data Access Bypass – SOQL Injection
I hope you enjoy working through these exercises as much as I enjoyed creating them. Learn the tools, exploit them safely, and observe the results in a controlled lab environment—before they ever make the headlines.
Additional Resources
- Juniper Support Portal Exposed Customer Device Info (2024)
- Salesforce Community Cloud Data Leaks Shine Light on Misconfigurations (2023)
- Salesforce Security Alert: API Error Exposed Marketing Data (2018)
- Critical Vulnerability Found in Google Security Operations SOAR; GCP-2025-049 (2025)
- Path Traversal Vulnerability in the NPM Package Installation Process of Google Cloud Dataform; CVE-2025-9118; GCP-2025-045 (2025)
- OSSA-2019-006: Credentials API Allowed Listing and Retrieval of All Users’ Credentials (2019)
About the Creator
Rodney Beede is a Principal Consultant with Coalfire. He began his career in enterprise web application development, with his master’s thesis research project “A Framework for Benevolent Computer Worms” (2012). For more than a decade, he has specialized in cloud security, earning multiple CVEs for discovered vulnerabilities. Rodney has presented at major security and hacking conferences including Black Hat, DEF CON, and BSides, covering topics from cloud security engineering to IoT device hacking.