🔥README

29 Learning Objectives, 72 Tasks > 115 hours of learning

CAWASPazredlabs.enterprisesecurity.io

Module I: - Introduction

• Learn about Azure services & Azure AD components.

• Gain understanding about the Service Models supported by Azure & Azure Architecture.

• Learn the process of discovering & enumerating Azure & Azure AD resources.

• Learn about the access control mechanism supported by Azure for granting privileges to the end users.

Module II: - Applications (App Services, APIs)

• Understand about the Application services that are offered by Azure.

• Gain deep understanding about App Service and its environment.

• Understand how to deploy code in App Service and understand about various configuration options that can be applied for any application leveraging App Service.

• Understand about the management portal of App Service.

• Learn how to exploit web application vulnerabilities and extract information from the applications hosted on App Service.

• Learn about various Rest API endpoints that are offered by Azure for managing various service.

Module III: - Authentication & Authorization

• Deep dive into OAuth, Authentication and Authorization process.

• Gain understanding about JTW tokens and the type of tokens that are supported by Azure like ID Token, Access Token, Refresh Token.

• Understand about Managed Identity and the process to enumerate and request access token.

Module IV: - Azure WAF

• Learn about Web Application Firewall.

• Learn about the services such as Application Gateway, Front Door, CDN that are offered by Azure which supports WAF.

• Gain the understand of the process that can be followed to bypass WAF.

Module V: - App Registrations, Enterprise Apps & Conditional Access Policy

• Learn and explore App Registration and Enterprise App components offered by Azure AD.

• Understand how Illicit Consent Grant Attacks works and learn to write a simple function app that can allow us to capture the token information and save the same in table storage.

• Learn about Microsoft Graph API and ways to abuse misconfigure permissions.

• Learn about Conditional Access Policies and how it can help us in restricting the users from gaining access to the resources.

Module VI: - Function Apps

• Understand what are Function Apps, how it is deployed in Azure and the functionality.

• Gain understanding of stateful Function App feature known as Durable Function Apps.

• Learn how to exploit vulnerability in Function App and extract information.

• Learn ways to read the source code or create a new function in the Function App by leveraging Master Key.

Module VII: - Key Vaults

• Learn and understand about Key Vaults and its Rest API endpoints.

• Understand Access Controls methods that Key Vault supports

• Understand the need of using recover policies.

• Learn how to leverage various RBAC roles and Key Vault access policies to extract the secrets and decrypted the encrypted values.

Module VIII: - Storage Accounts

• Learn and understand about Storage Accounts, Types of storage services.

• Understand about various Access Control methods such as AAD User, Shared Key, Shared Access Signature, Connection String.

• Learn how to leverage various options to gain access to the Storage account.

Module IX: - Databases

• Learn about various Database services offered by Azure such as Cosmos DB, Azure SQL, PostgreSQL, MySQL/MariaDB.

• Understand the benefits of using specific Database services.

• Understand the ways to gain access to Cosmos DB account and extract information.

Module X: - Application Proxy & Azure API Management

• Learn about Application Proxy and its Components.

• Understand the authentication workflow of the Application Proxy.

• Learn about Azure API Management service and understand how it can help us to protect and restrict the APIs.

Module XI: - Microsoft Defender for Cloud & Microsoft Defender for Cloud Apps

• Gain understanding of Microsoft Defender for Cloud Apps solution, Architecture and features.

• Gain understanding of what is Microsoft Defender for Cloud, how it can help us to secure the infrastructure.

• Learn about various alerts that can be triggered if it is integrated with App Service.

Module XII: - Defense

• Learn about approach that can be followed to secure/protect various resources hosted in Azure.