Azure 最薄弱的环节？API 连接如何泄露机密信息.pdf

1、#BHUSA BlackHatEventsAzures Weakest Link?Azures Weakest Link?How API Connections Spill SecretsHaakon Holm Gulbrandsrud#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEventsVulnerability DiscoveryAzure Logic Apps#BHUSA BlackHatEventsLogic App Designer#BHUSA BlackHatEventsLogic App Designer#B

2、HUSA BlackHatEventsWhat do they mean?#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEventsAzure Resource Management#BHUSA BlackHatEventsSubscription#BHUSA BlackHatEventsResource Group#BHUSA BlackHatEventsAPI Type#BHUSA BlackHatEventsResource#BHUSA

3、BlackHatEventsAction/Endpoint#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEventsANY GET Request action on an API Connection can be called by Readers#BHUSA BlackHatEventsAPI Connection Architecturehttps:/ BlackHatEventsAPI Con

4、nection Architecturehttps:/ BlackHatEventsAPI Connection Architecturehttps:/ BlackHatEventsAPI Connection Architecturehttps:/ BlackHatEventsAPI Connection Architecturehttps:/ BlackHatEventsAction Definitions#BHUSA BlackHatEventsAction Definitions#BHUSA BlackHatEventshttps:/ BlackHatEventshttps:/ Bla

5、ckHatEventshttps:/ BlackHatEventshttps:/ BlackHatEventshttps:/ BlackHatEventsGlobal APIM Host#BHUSA BlackHatEventsConnector Type#BHUSA BlackHatEventsConnection ID#BHUSA BlackHatEventsAction endpoint#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEventsBut they were,all

6、of them,deceived,for another Connection ACL was made.#BHUSA BlackHatEventsAPI Connection Architecturehttps:/ BlackHatEventsSpecifically Azure Resource ManagementThings that are not facts about Azure#BHUSA BlackHatEventsWell,simple-ishSimple Security Model#BHUSA BlackHatEventsReaders GET#BHUSA BlackH