Image by Brooke Lark

Azure Application Security –

Basic Edition

Objective

 

This beginner-friendly class is for application security professionals, developers and cloud security professionals. Improve your understanding of Azure Cloud, Azure AD, Authentication & Authorization process, Enterprise Apps, APIs, OAuth Permissions and more. Learn about Azure services used for deploying and running applications such as AppServices, Function Apps, Key Vaults, Storage Accounts, Databases, etc. 


This hands-on class covers abusing application flaws/misconfiguration, features and interoperability to compromise an enterprise-like live lab environment. Each student gets a dedicated lab! As a bonus, there is a shared lab to practice with fellow students. The class also covers security controls useful in defending against the discussed attacks. The class will focus on methodology and techniques through instructor demos, exercises, and hands-on labs.

Course Content

Module 1

  • Introduction to Azure

  • Azure AD Resources

  • Recon and Enumeration

  • Azure RBAC & ABAC

  • Applications

  • App Services

  • App Services - Abuse

 

Module 2

  • Rest APIs in Azure

  • Authentication & Authorization

  • Tokens

  • Managed Identity

  • Azure Web Application Firewall

  • App Registrations

  • Enterprise Apps

 

Module 3

  • Illicit Consent Grant Attack (OAuth Phishing)

  • Abusing Misconfigured Enterprise Apps

  • Function Apps

  • Function Apps – Abuse

  • Key Vaults

  • Key Vaults - Abuse

  • Storage Accounts

  • Storage Accounts - Abuse

 

Module 4

  • Databases

  • Application Proxy

  • Azure API Management

  • API Security

  • Microsoft Defender for Cloud Apps

  • Microsoft Defender for Cloud

  • Actionable Defense

Who should take this course?

Application Security professionals, Developers, Red Teamers, Penetration Testers and Blue Teamers who would like to understand more about web application security and abuse in Azure. 

Student Requirements

  • Basic understanding of Application Security and Azure is desired but not mandatory.

What students should bring

  • System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes.

  • Privileges to disable/change any antivirus or firewall.

What students will be provided with

  • Attendees will get free one month access to two labs (practice lab and attack lab) configured like an enterprise environment, during and after the training.