Chirag Savla , White Knight Labs
Chirag Savla is a cyber security professional with 10+ years of experience. His areas of interest include penetration testing, red teaming, azure and active directory security, and post-exploitation research. For fun, he enjoys creating open-source tools and exploring new attack methodologies in his leisure. Chirag has worked extensively on Azure, Active Directory attacks and defense, and bypassing detection mechanisms. He is the author of multiple open source tools such as Process Injection, Callidus, and others. He has presented at many conferences and local meetups and has trained people in international conferences like Blackhat, BSides Milano, Wild West Hackin’ Fest, HackSpaceCon, VulnCon and NorthSec.
Talk: When Serverless Becomes a Foothold: Abusing Azure Function Apps in Modern Cloud Environments
Talks will be streamed on YouTube and Twitch for free.
Serverless architectures continue to evolve and so does their attack surface. Azure Function Apps have undergone a significant architectural transformation with the introduction of the Flex Consumption plan, identity-based service connections, private networking, OpenAI integrations, and hybrid hosting models. While these features expand functionality and scalability, they also introduce new and often overlooked security misconfigurations.
Azure Functions remain a powerful serverless compute platform capable of interacting with a wide range of cloud and on-premises services. However, recent platform enhancements have created novel abuse primitives that can be leveraged by attackers for persistence, lateral movement, and stealthy post-exploitation operations.
This talk explores modern techniques for gaining access to Azure Function App source code and configuration data across contemporary deployment models, including Flex Consumption and container-backed hosting. We demonstrate how identity-based service connections, managed identities, and Key Vault or App Configuration references can be abused to access downstream cloud resources without relying on traditional secrets. We also present new approaches for deploying stealthy backdoors across multiple runtimes, including .NET isolated, Python, Node.js, and Java. Additionally, we examine authenticated Function App misconfigurations that allow unintended user access and execution.
We further analyze advanced networking scenarios enabled by recent platform features such as VNet-integrated serverless functions and private triggers and show how they can be exploited to pivot between cloud and internal environments. The talk also highlights how Azure Function Apps can be repurposed as resilient command-and-control redirectors or staging infrastructure, blending seamlessly into legitimate serverless traffic and cloud telemetry.
Through updated real-world penetration testing case studies, we demonstrate modern escalation paths originating from Function Apps that lead to privileged Azure control and hybrid identity compromise. By uncovering these feature-driven abuse cases and providing actionable detection and hardening guidance, this research equips both defenders and cloud pentesters to secure the next generation of Azure serverless deployments.
Training: Offensive GCP Operations & Tactics Certification (OGOTC)
Offensive GCP Operations & Tactics Certification (OGOTC) is an advanced, hands-on training course designed to provide security professionals, penetration testers, and cloud engineers with a deep understanding of the security landscape within Google Cloud Platform (GCP). This course covers the full attack lifecycle, from initial access to post-exploitation, equipping participants with the skills to identify, exploit, and defend against real-world vulnerabilities in GCP environments.
The course begins with an overview of GCP architecture, focusing on key services like Compute Engine, Cloud Storage, BigQuery, and Cloud Run. Participants will learn how to perform both unauthenticated and authenticated enumeration using techniques such as API abuse, DNS reconnaissance, and Google Dorking. The course then explores initial access methods, including credential theft, phishing (Evilginx), and misconfigured IAM roles. Hands-on labs will demonstrate privilege escalation, lateral movement through service accounts, and data exfiltration using GCP services.
Participants will also explore command and control (C2) strategies using GCP services and discover how to abuse metadata servers for escalation. Advanced modules cover Kubernetes exploitation, including pod compromise and privilege abuse within clusters. The course concludes with defensive strategies, showing how to harden IAM policies, secure APIs, and prevent privilege escalation.