Chirag Savla , White Knight Labs
Chirag Savla is a cyber security professional with 10+ years of experience. His areas of interest include penetration testing, red teaming, azure and active directory security, and post-exploitation research. For fun, he enjoys creating open-source tools and exploring new attack methodologies in his leisure. Chirag has worked extensively on Azure, Active Directory attacks and defense, and bypassing detection mechanisms. He is the author of multiple open source tools such as Process Injection, Callidus, and others. He has presented at many conferences and local meetups and has trained people in international conferences like Blackhat, BSides Milano, Wild West Hackin’ Fest, HackSpaceCon, VulnCon and NorthSec.
Talk: Exploring Azure Logic Apps and Turning Misconfigurations into Attack Opportunities
Talks will be streamed on YouTube and Twitch for free.
Azure Logic Apps, a powerful tool for automating workflows and system integration, plays a pivotal role in modern cloud operations. However, these capabilities come with hidden risks numerous potential security vulnerabilities and attack vectors that can be exploited due to unnoticed misconfigurations. This session will examine the complex attack surface of Azure Logic Apps, revealing how attackers can manipulate its features to compromise cloud environments.
We will cover critical topics such as the exposure of sensitive data due to improperly secured Logic Apps, the execution of inline C# code to perform malicious actions, privilege escalation within storage accounts, hijacking API connections, and techniques for facilitating cloud-to-on-premises lateral movement. Additionally, we will address the often-overlooked risks associated with custom authorization logic, showcasing real-world examples of how weak authentication mechanisms can be bypassed, resulting in unauthorized access and data breaches.
Furthermore, we will explore the broader implications of misconfigured Logic Apps, such as overly permissive role-based access control (RBAC), insecure service principals, and unprotected connections to external systems. These misconfigurations can open the door to privilege escalation, unauthorized access, and even cloud-to-cloud or cloud-to-on-premises lateral movement.
By examining these threats and their countermeasures, organizations can strengthen the security of their Logic App implementations and ensure resilient cloud operations. Real-world scenarios and exploitation techniques will be dissected to highlight critical vulnerabilities in these workflows.
Training: Offensive GCP Operations & Tactics Certification (OGOTC)
Offensive GCP Operations & Tactics Certification (OGOTC) is an advanced, hands-on training course designed to provide security professionals, penetration testers, and cloud engineers with a deep understanding of the security landscape within Google Cloud Platform (GCP). This course covers the full attack lifecycle, from initial access to post-exploitation, equipping participants with the skills to identify, exploit, and defend against real-world vulnerabilities in GCP environments.
The course begins with an overview of GCP architecture, focusing on key services like Compute Engine, Cloud Storage, BigQuery, and Cloud Run. Participants will learn how to perform both unauthenticated and authenticated enumeration using techniques such as API abuse, DNS reconnaissance, and Google Dorking. The course then explores initial access methods, including credential theft, phishing (Evilginx), and misconfigured IAM roles. Hands-on labs will demonstrate privilege escalation, lateral movement through service accounts, and data exfiltration using GCP services.
Participants will also explore command and control (C2) strategies using GCP services and discover how to abuse metadata servers for escalation. Advanced modules cover Kubernetes exploitation, including pod compromise and privilege abuse within clusters. The course concludes with defensive strategies, showing how to harden IAM policies, secure APIs, and prevent privilege escalation.