Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Explore critical security vulnerabilities in Azure's API connection infrastructure through this 28-minute Black Hat conference presentation. Discover how Azure API Connections, which integrate Logic Apps, Power Apps, and Power Automate with external systems, can be exploited to gain near unrestricted access to connected APIs with minimal privileges and even cross-tenant capabilities. Learn about the complex layers of Azure Resource Management (ARM), API Management (APIM), Custom Connectors, consent servers, and token stores that create exploitable attack vectors. Follow the detailed demonstration of a cross-tenant Key Vault secrets leak, starting from an interesting JSON reply and escalating to low-privileged user access to Key Vaults with cross-tenant capabilities. Understand how attackers can inject into databases, publish issues on Jira, exfiltrate Salesforce data, and send unauthorized emails through these vulnerabilities. Gain insights into the lacking state of Azure security and the hidden infrastructure that can be understood and exploited by security researchers and potential attackers.
