Security Boulevard

ASU 48-bit trash hash: Open source router firmware project fixes dusty old code.

The post Critical OpenWrt Bug: Update Your Gear! appeared first on Security Boulevard.

Author: Lance B. Cain

Overview

Microsoft Azure is a leading cloud provider offering technology solutions to companies, governments, and other organizations around the globe. As such, many entitles have begun adopting Azure for their technology needs to include identity, authentication, storage, application management, and web services. One of the most common methods for organizations to begin experimenting with and adopting Azure is by deploying web applications and an increasingly popular method for creating web applications is by designing Single-Page Applications (SPAs). Katie Lawson of bloomreach.com defines SPAs as, “a website or web application that dynamically rewrites a current web page with new data from the web server, instead of the default method of a web browser loading entire new pages”. SPAs typically utilize JavaScript integrations with API calls to dynamically update for a seamless user experience. Microsoft has multiple walkthroughs, guides, and documentation to aid organizations in deploying SPAs on Azure:

• Single-page application (SPA) documentation — https://learn.microsoft.com/en-us/entra/identity-platform/index-spa
• Single-page application: App registration — https://learn.microsoft.com/en-us/entra/identity-platform/scenario-spa-app-registration
• Configure authentication in a sample single-page application by using Azure AD B2C — https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-spa-app

As a result, there are many new publicly hosted SPAs that communicate with Azure backend resources.

This blog post is intended to share insights learned from a prior security assessment about the attack surface of Single-Page Applications integrated with Azure, aid technology professionals in securing their Azure environments, and serve as a guide for enumerating Azure tenants using the additions of the pull request I submitted to Dirk-Jan’s ROADTools repository. This blog is not a comprehensive analysis of every SPA hosted on Azure, so your mileage may vary. Due to the widespread adoption of Microsoft’s Office products and web integrations for Azure, I will focus on two popular SPAs that Microsoft offers (i.e., WWW.OFFICE.COM and PORTAL.AZURE.COM); however, the workflow translates to many other SPAs as well.

A Brief Origin Story

My team and I were working on a collaborative cloud assessment for one of our clients targeting their Azure tenant. We were tasked with identifying methods of escalating privileges, assisting defenders in improving detections, and documenting attack paths in the client Azure environment using a compromised non-privileged user account on a Windows Virtual Desktop Image (VDI). We began by enumerating the available applications, Azure resources, Microsoft technologies, and client subscriptions. During the assessment, we learned that the client Azure environment was hardened with enforced multi-factor authentication (MFA), allow-listed MFA conditional access policies (CAPs), administrator restrictions on internal and external application enrollments, administrator approval for external invitations, continuous access evaluation, blocked access to Entra ID in the Azure portal, browser extension host security checks, blocked command-line interface (CLI) and PowerShell access, and time limitations on issued tokens forcing expiration after one hour.

The defensive configurations in the client environment impeded our work obtaining access and refresh tokens to enumerate the target tenant. The team began looking at the resources our user account had access to. We had successfully authenticated as the non-privileged user to the Azure portal and administrator pre-approved Microsoft Office web applications like Excel or Word on HTTPS://WWW.MICROSOFT365.COM. Within the Azure portal, we discovered that the user account had access to the Azure cloud shell which the team used to obtain an access token using the built-in PowerShell cmdlet Get-AzAccessToken and initiate some cursory enumeration.

Pro-Tip: If the cloud shell is available, it is possible to install pip Python modules, including ROADTools, in the Bash shell.

Figure 1 — Installing ROADTools in the Azure Cloud Shell

The team started collections to enumerate the client tenant using ROADTools and AzureHound with our initial access token; however, an hour later, we discovered that the tools had failed when the acquired token expired prior to completing their tasks. With the knowledge that the client tenant was so large that automated enumeration would exceed the one-hour lifetime for access tokens, we began looking into methods to update the access token for collections. After some research, we learned one of the likely intentional limitations of Get-AzAccessTokens for the Azure cloud shell that it would obtain access tokens, but it would not return a refresh token. My teammates started working on methods to script out obtaining a new access token in the cloud console, meanwhile I began looking at the access we had to authorized Microsoft web applications.

While investigating the Azure portal, I remembered something that Andy Robbins mentioned at SpecterOps’ Azure Security Fundamentals training; specifically, that the Azure portal was essentially a web application frontend which communicates with the Azure Graph APIs. Thinking about the ROADTools implemented authentication flow to obtain tokens with a Selenium browser; despite not being an option during the assessment due to the required extensions, I opened the inspector panel in the VDI client Google Chrome web browser to look for any type of token exchanges that occurred during authentication. While reviewing the network traffic in the inspector panel, I observed some requests named “token”. I discovered when filtering and inspecting traffic for the term “token” that there were multiple access and refresh tokens contained in the request payloads for resources like MANAGEMENT.CORE.WINDOWS.NET, GRAPH.MICROSOFT.COM, and most interesting GRAPH.MICROSOFT.NET. The access tokens for the client environment still had the one-hour expiration limit, but the refresh tokens were valid for up to four hours. I also discovered that upon selecting the payload tab the client-id used for the request was also captured.

Figure 2— Access and Refresh Tokens in SPA Network Traffic

Excited to have obtained a refresh token for our client environment, I attempted authentication over a proxied connection to the VDI with ROADTools using the refresh token, which resulted in the below error response from Azure regarding cross-origin requests.

Figure 3— Cross-Origin Error Response

I began researching the error message and quickly stumbled upon this Stack Overflow post where one of CajunCoding’s comments referenced a Microsoft page stating, “Microsoft identity platform returns an error if you attempt to use a spa redirect URI without an Origin header.”

Upon reviewing the Microsoft documentation, I spent the next hour issuing multiple web API requests to HTTPS://LOGIN.MICROSOFTONLINE.COM/{TENANT}/OAUTH2/V2.0/AUTHORIZE using Burp Suite and curl commands with varying origin HTTP headers. An access token was eventually returned for the supplied refresh token when entering the originating application URL in the request origin header. Upon successfully obtaining a new access token by hand, I updated my local instance of ROADTools to accommodate supplying an origin value when performing authentication with refresh tokens, which resulted in the addition of the origin parameter. Afterwards, my team and I successfully enumerated the client tenant using the available SPA refresh tokens and continued with the assessment. Our client was pleased to learn about the attack path where users with granted access to SPAs like the Azure Portal and Microsoft Online Office Applications could potentially obtain new tokens to enumerate their Azure tenant.

SPA Token Enumeration Workflow

Now with the origin argument added to the latest version of ROADTools, the most basic process of using SPA tokens to enumerate an Azure tenant is:

1. On an Azure client workstation, open the inspector panel in a web browser and filter network traffic for “tokens”
2. Authenticate to a SPA or re-open an existing browser session to an authenticated SPA

Note: Take notice of the origin URL

3. View exchanged tokens to obtain the refresh token contained in one of the MICROSOFT.NET, MICROSOFT.COM, or other Microsoft integrated resource token requests

Pro-Tip: For small tenants or tenants without short token expirations, access tokens for GRAPH.MICROSOFT.NET can be used from the browser instead of refresh tokens.

Pro-Tip: Some resource tokens have been found to provide only partial collections and will generate HTTP 403 errors like MANAGEMENT.CORE.WINDOWS.NET as demonstrated in the examples. I recommend targeting GRAPH.WINDOWS.NET or SharePoint resource tokens which have yielded the best results

4. Take note of the application client-id used to request tokens

Pro-Tip: For first-party Microsoft Azure applications like HTTPS://PORTAL.AZURE.COM, bookmark this page to quickly lookup the client-id: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications

5. Authenticate to the Microsoft graph API by supplying all the captured values to ROADTools

roadrecon auth -c <Client-ID> --origin <SPA Base URL> --refresh-token <Browser Refresh Token>

Pro-Tip: If Azure continuous access evaluation is enforced, execute the ROADTools authentication from the original workstation or SOCKs proxy the request through the workstation.

6. Execute your collection

roadrecon gather

7. Review the information

roadrecon gui Azure Portal Example — Partial Collection with MANAGEMENT.CORE.WINDOWS.NET Token

1. Inspect

Figure 4— Web Inspection and Network Filtering

2. Authenticate

Figure 5— Azure Portal Authentication to Testing Tenant

3. Obtain Tokens

Figure 6— Access and Refresh Tokens for MANAGEMENT.CORE.WINDOWS.NET

4. Note Client ID

Figure 7— Client ID in Request Payload

5. Authenticate with ROADRecon

Figure 8— Successful Authentication with Refresh Token

6. Gather — 403 Errors = Partial Collection

Figure 9— Gather with HTTP 403 Errors

7. Review — roadrecon gui and browse to HTTP://127.0.0.1:5000

Figure 10— Partial Data Collection Office 365 Example — Full Collection with SharePoint Token

1. Inspect

Figure 11— Web Inspection and Network Filtering

2. Authenticate

Figure 12— Office 365 Authentication for Testing Account

3. Obtain Tokens

Figure 13— Access and Refresh Tokens for SPECTERDEV.SHAREPOINT.COM

4. Note Client ID

Figure 14— Client ID in Request Payload

5. Authenticate with ROADRecon

Figure 15— Successful Authentication with Refresh Token

6. Gather

Figure 16— Successful Tenant Enumeration

7. Review — roadrecon gui and browse to HTTP://127.0.0.1:5000

Figure 17 — Full Data Collection About

Lance Cain is a Senior Consultant in Adversary Simulation at SpecterOps Inc. He has over eight years of experience in information technology with six of those focused on Red Teaming and Penetration Testing. Lance formerly served as the Engineering Cell Lead of the Marine Corps’ Red Team tasked with payload and command and control (C2) channel development. He now performs a variety of security assessments for SpecterOps clients and specializes in cloud and macOS technologies.

SPA is for Single-Page Abuse! - Using Single-Page Application Tokens to Enumerate Azure was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post SPA is for Single-Page Abuse! – Using Single-Page Application Tokens to Enumerate Azure appeared first on Security Boulevard.

Authors/Presenters: Anne Neuberger

Our sincere appreciation to DEF CON, and the Presenters/Authors for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

The post DEF CON 32 – Fireside Chat – The Dark Tangent and DNSA appeared first on Security Boulevard.

CORS misconfigurations are often overlooked, but they can have severe consequences. We demonstrate how reflecting the origin header leads to code execution in Whistle.

The post Never Underestimate CSRF: Why Origin Reflection is a Bad Idea appeared first on Security Boulevard.

4 min readAI workloads operate at machine speed – but their identities risk being exploited, turning innovation into vulnerability.

The post How to Secure Non-Human Identities for AI Workloads appeared first on Aembit.

The post How to Secure Non-Human Identities for AI Workloads appeared first on Security Boulevard.

For too long, architecting for cyber recovery and resiliency was on the vision board for a distant future. Unfortunately, that “distant future” is here, but many companies have not started this critical effort.

The post Given Today’s Data Complexity, a Platform Mindset is Crucial for Cyber Recovery appeared first on Security Boulevard.

Although AI can enhance threat detection and response capabilities, it also introduces sophisticated attack vectors that require a rethink of traditional security models.

The post Defending Against AI-Powered Attacks in a “Spy vs. Spy” World appeared first on Security Boulevard.

Cybersecurity companies — traditionally considered pioneers of data innovation — are often the ones struggling to unlock the full potential of the data they collect within their own organizations.

The post Cybersecurity Companies Must Practice What They Preach to Avoid the Data Paradox appeared first on Security Boulevard.

After years of quiet growth, the electric vehicle (EV) market has kicked into high gear, powered by sustainability trends, technology advances and increased consumer enthusiasm. Earlier this year, a team from Cornell created a new lithium battery that can charge in under five minutes, while maintaining stable performance over extended cycles of charging and discharging...

The post Balancing Security and Convenience With EV Charging appeared first on Security Boulevard.

The rise in android users has transformed how individuals and businesses access financial services, offering convenience and speed like never before. However, this rapid digitalization has also made these platforms a prime target for hackers. SpyLoan malware is a threat specifically engineered to exploit vulnerabilities in digital lending ecosystems. By stealing sensitive customer data, manipulating […]

The post SpyLoan Malware: A Growing Threat to Android Users appeared first on Kratikal Blogs.

The post SpyLoan Malware: A Growing Threat to Android Users appeared first on Security Boulevard.

Simplify DNS management with PowerDMARC's One-Click Auto DNS Publishing powered by Entri. Publish DNS records like DMARC, SPF, DKIM, and more in just one click.

The post PowerDMARC One-Click Auto DNS Publishing with Entri appeared first on Security Boulevard.

What is OSCAL? OSCAL provides a traceable and machine-readable data format for capturing and sharing security information. A standardized, continuous representation of an organization’s security controls helps prove compliance with NIST’s risk management framework for mandated federal agencies. FedRAMP joined with NIST to create the Open Security Controls Assessment Language (OSCAL), a standard that can […]

The post Leveraging NIST OSCAL to Provide Compliance Automation: The Complete Guide appeared first on Centraleyes.

The post Leveraging NIST OSCAL to Provide Compliance Automation: The Complete Guide appeared first on Security Boulevard.

In Q4 of 2024, NSFOCUS observed and successfully mitigated the largest DDoS attack ever recorded under the cloud-based DDoS Protection Service (DPS). This massive DDoS attack targeted a telecommunications service provider, one of NSFOCUS’s global clients. The telecommunications industry frequently faces such cyber threats. However, the scale of this attack was unprecedented, with peak traffic […]

The post NSFOCUS DDoS Protection Service Neutralized a Terabit-Scale DDoS Attack appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post NSFOCUS DDoS Protection Service Neutralized a Terabit-Scale DDoS Attack appeared first on Security Boulevard.

The Forgotten Keyholders: Understanding Non-human Identities in Cybersecurity Have you ever considered who holds the keys to your organization’s most sensitive data? Beyond the human factor in information gatekeeping, machine identities known as Non-Human Identities (NHIs) play a significant role. These NHIs, armed with their encrypted secrets, serve as ‘tourists’ navigating the sprawling landscape of […]

The post Empowering Teams with Secure Cloud Environments appeared first on Entro.

The post Empowering Teams with Secure Cloud Environments appeared first on Security Boulevard.

Are You Maximizing Your Organization’s Cybersecurity? Cybersecurity is not only a means of information protection but also a valuable strategic asset that can drive business growth and stability. Central to achieving such a valuable level of security is managing Non-Human Identities (NHIs) and their corresponding secrets—a technique known as Secrets Security Management. So, how does […]

The post How Secrets Security Boosts Business Value appeared first on Entro.

The post How Secrets Security Boosts Business Value appeared first on Security Boulevard.

How Does NHI Lifecycle Management Promote Innovation? In today’s rapidly evolving digital landscape, innovation is the silver bullet that empowers organizations to thrive amidst relentless competition. But, how does Non-Human Identity (NHI) lifecycle management enable such innovation? NHIs, or machine identities, are critical actors in our increasingly interconnected cyber ecosystem. They handle substantial volumes of […]

The post Leveraging NHI Lifecycle Management for Innovation appeared first on Entro.

The post Leveraging NHI Lifecycle Management for Innovation appeared first on Security Boulevard.

Authors/Presenters: Jake Jepson, Rik Chatterjee

Our sincere appreciation to DEF CON, and the Presenters/Authors for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Compromising Electronic Logger & Creating Truck2Truck Worm appeared first on Security Boulevard.

Every week, IT and security teams gather – be it in a virtual conference room or a cramped huddle space – prepared to spend an hour or two wincing at massive lists of “Critical” and “High” severity vulnerabilities. The vulnerability management tools have done their job, dutifully regurgitating every fresh CVE from public feeds. On …

Read More

The post Surviving the Weekly CVE Review Gauntlet appeared first on Security Boulevard.

Why do 31 of the top 250 MSSPs choose D3? From seamless onboarding to cutting alert noise by 99%, D3's automation revolutionizes managed security. See how.

The post 31 of the Top MSSPs Use D3 for SOC Automation: Here’s Why appeared first on D3 Security.

The post 31 of the Top MSSPs Use D3 for SOC Automation: Here’s Why appeared first on Security Boulevard.

The Amazon Web Services (AWS) Shared Responsibility Model has come a long way, indeed.

Related: ‘Shared Responsibility’ best practices

In 2013, Amazon planted a stake in the ground when it divided cloud security obligations between AWS and its patrons, guaranteeing … (more…)

The post Shared Intel Q&A: A thriving ecosystem now supports AWS ‘shared responsibility’ security model first appeared on The Last Watchdog.

The post Shared Intel Q&A: A thriving ecosystem now supports AWS ‘shared responsibility’ security model appeared first on Security Boulevard.