Description

Azure Storage is the widely used service in Azure cloud. Organisations leverage Azure Storage for hosting static websites, mounting compute volumes, event messaging and also for storing objects and files. Azure storage could be integrated with Virtual
Machines, Containers, Kubernetes and even in Serverless compute environments.

Although being the most widely used service, it is also the most widely attacked service. An attacker would look at compromising:

● Static websites through SubDomain takeovers
● Blobs through exposed containers
● Queues through exposed SAS tokens
● A complete account takeover through application vulnerabilities and other security misconfigurations.

This talk will commence with an introduction to Azure storage , detailing the categories of storage such as Blob, File, Table and Queue. We will then talk about Default configurations commonly used and threats against storage accounts. Finally, the talk will end with a variety of demos of compromising Azure storage through multiple attack vectors.

This talk presents a red-team perspective of the various ways in which testers can discover and exploit Azure storage to compromise sensitive information. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Azure storage.

About the speaker

Sharath Kumar Ramadas is the Principal Researcher (R&D) at we45. He has architected and developed multiple solutions around security engineering, including an Application Vulnerability Correlation tool called Orchestron. As part of his experience with Application Security, Sharath has developed integrations for multiple security products including DAST, SAST, SCA and Cloud environments.

Sharath has extensive experience with Cloud Deployments and Container Native Deployments. As part of his role in a security organization, he has led teams that have created intentionally vulnerable apps for CTF competitions both inside and outside we45.

Sharath is a speaker at multiple events around Cloud, Containers, Kubernetes and DevSecOps. He is also the Author of Azure Security Trainings from we45.