We created this fun and beginner-friendly lab to highlight how serverless apps are not immune to vulnerabilities affecting traditional web apps. It also showcases how a managed identity assigned to a compromised web app can be leveraged for lateral movement. We'll also learn how this scenario could have been mitigated.

Our red team performed a password spray and compromised several accounts have been recently created with a default password, ready for the new company hires to log in. You have been provided with credentials for a compromised account and are tasked with gaining further access to the Azure environment.

Basic Windows and Linux command line knowledge

• Identify if a managed identity has been assigned to an Azure Web App
• Obtain an access token for the managed identity and reuse it with AzureHound
• Enumerate resources by calling the Azure Resource Manager API
• Identify and exploit an Azure Function App SQL injection vulnerability
• Learn how this scenario could have been prevented

Serverless technologies such as Azure Function Apps can suffer from many of the same vulnerabilities that affect traditional web applications, and same mitigations of using parameterized queries and ensuring proper validation and sanitization of user-input applies. Once a web app is compromised, it doesn't have to stop there! Azure Web Apps are often associated with managed identities, that may be assigned permissions to other Azure resources.