Azure Application Security: Beginner's Edition [Sept 2022]

Master application security in Azure. Learn how Azure apps are attacked, and how to secure them with appropriate security controls. Practice attacker techniques in a lab environment simulating a real-world enterprise. Earn the CAWASP (Certified Azure Web Application Security Professional) certification.
Starts: 03 September 2022  Duration: 4 weeks
Recordings of live sessions included!

Enrollment ends in:

What You'll Learn

This 4-week beginner-friendly bootcamp is for application security professionals, developers and cloud security professionals. Improve your understanding of Azure Cloud, Azure AD, Authentication & Authorization process, Enterprise Apps, APIs, OAuth Permissions and more. Learn about Azure services used for deploying and running applications such as AppServices, Function Apps, Key Vaults, Storage Accounts, Databases, etc.

This hands-on class covers abusing application flaws/misconfiguration, features and interoperability to compromise an enterprise-like live lab environment. Each student gets a dedicated lab! As a bonus, there is a shared lab to practice with fellow students. The class also covers security controls useful in defending against the discussed attacks. The Bootcamp will focus on methodology and techniques through instructor demos, exercises, and hands-on labs.
  • 4 live sessions

  • 3.5 hrs per session

  • 4 weeks access

  • 50 flags to be collected

  • 25 lab exercises

  • 1 CAWASP attempt

  • Recordings of Live Sessions

Build Your Cybersecurity Credentials

  • Become a Certified Azure Web Application Security Professional (CAWASP)

The Certified Azure Web Application Security Professional (CAWASP) certification demonstrates hands-on knowledge of application security in Azure. A CAWASP holder is proficient in assessing security of Azure web application technologies and understands security controls used for defense.

With this certification, you declare your expertise in different facets of Azure WebApp security: Enterprise Apps, App Services, OAuth Permissions, API Security, Storage Accounts, Key Vaults, Databases, WAF, MDCA, MDC and more.
  • Bootcamp Completion Certificate

Attendees will also get a course completion certificate after completing Learning Objectives covered during the course.

Live Session Schedule

Weekly 3.5 hr sessions start at 10:00am ET and end at 1:30pm ET.
03 September 2022

10 September 2022

17 September 2022

24 September 2022

Introduction to Applications in Azure, Authentication & Authorization process, REST APIs and Tokens
Abuse Enterprise Apps, Attacks using OAuth Permissions and Microsoft Graph API Abuse
Abuse Azure App services, Functions and Key Vaults for extracting secrets, Priv Esc, Persistence and Lateral Movement
Attacking Storage accounts and Database Services, API Management and Security. Understanding WAF, MDCA, MDC and their bypasses

Prerequisites

1. A basic understanding of Application security and Azure is desired but not mandatory
2. System with 4 GB RAM and ability to install OpenVPN client and RDP to Windows boxes
3. Privileges to disable/change any antivirus or firewall

Bootcamp Syllabus

The course is split in four modules across four weeks:

Module I:

  • Introduction to Azure Cloud
  • Recon, Discovery and Enumeration
  • Azure RBAC Roles and ABAC
  • Rest APIs in Azure
  • Authentication & Authorization
  • Deep dive into OAuth
  • Authentication methods supported by Azure

Module II:

  • Tokens in Azure and their use in attacks
  • About App Registrations
  • About Enterprise Apps (Supported credentials, App roles and claims etc.)
  • Attacking App Registrations and Enterprise Apps
  • OAuth Permissions and their abuse (Privilege Escalation, Persistence and Lateral Movement)
  • Consents and Permissions in Azure
  • Illicit Consent Grant Attack (OAuth Phishing)
  • Microsoft Graph API and its abuse

Module III:

  • Abuse Azure services for Extracting secrets, Priv Esc, Persistence and Lateral Movement
  • About App Services (Deployment, Configuration, SCM etc.)
  • Attacking App Services by abusing app vulnerabilities and interoperability with other Azure services
  • About Function Apps (Durable Function Apps, Triggers, Deployment etc.)
  • Attacking Function Apps (Abusing integration with other Azure services)
  • Understanding and Attacking Key Vaults (Access Policies, Retention Policies etc.)
  • Understanding and Attacking Storage Accounts (Management plane to Data plane, SAS tokens, Connection Strings, Shared key, Information gathering from Metadata)

Module IV:

  • Understanding and abusing Databases Services in Azure (Cosmos DB, SQL Server etc.)
  • Understanding Application Proxy
  • Azure API Management and API Security
  • Defending Applications in Azure (Web Application Firewall, Microsoft Defender for Cloud Apps and Microsoft Defender for Cloud)
  • Bypassing Defenses
Meet the instructor

Chirag Savla

Chirag Savla is an information security professional whose areas of interest include penetration testing, red teaming, azure, active directory security, and post-exploitation research.

He has over 7+ years of experience in information security. Chirag likes to research new attack methodologies and create open-source tools that can be used during the red team assessments. He has worked extensively on Azure, Active Directory attacks, defense, and bypassing detection mechanisms.

He is the author of multiple Open Source tools such as Process Injection, Callidus, etc. He has spoken in multiple conferences and local meetups.
Chirag Savla - Principal Instructor

Can't attend this bootcamp? Get informed about future bootcamps!

Thank you!
Thank you!
Created with