Our data and infrastructure were shifted to the cloud, and we are more and more relying on our DevOps engineering and Cloud Providers to keep us safe and secured. Join us virtually for our upcoming "The Hacking Games - Cloud Vulnerabilities" Meetup to learn how hackers can compromise cloud infrastructure, advanced data protection methods and how to survive a Ransomware on the cloud.
5. Why is Privacy SOOO Important??
MONEY!!!, Yes Money, as in.. and plenty of it
Go to: https://www.enforcementtracker.com/
6. Privacy – Key Terms & Concepts
• GDPR – General Data Protection Regulation
• CPRA – California Privacy Rights Act Formerly CCPA
7. Privacy – Key Terms & Concepts
• Data Subject:
“The identified or identifiable living individual to whom
personal data relates.”
8. Privacy – Key Terms & Concepts
• PII – Personally Identifiable Information:
“Any information that relates to an identified or
identifiable living individual. Different pieces of
information, which collected together can lead to the
identification of a particular person, also constitute
personal data.”
9. Privacy – Key Terms & Concepts
• Data Controller:
“The natural or legal person, public authority, agency or
other body which, alone or jointly with others,
determines the purposes and means of the processing
of personal data.”
10. Privacy – Key Terms & Concepts
• Data Processor:
“A natural or legal person, public authority, agency or
other body which processes personal data on behalf of
the controller and under their authority. In doing so,
they serve the controller's interests rather than their own.”
11. Privacy – Key Terms & Concepts
• What’s GDPR & CPRA are all about:
• From OWASP Top10.. To Privacy Top 12 (KPI):
1. Security & Pseudonymization
2. Data Breach & Notification
3. Right To Be Forgotten
4. Right To Portability
5. Consent & Right To Withdraw
6. Notice
7. Profiling & User Behavior
8. Data Transfer
9. DPIA
10. Supply Chain Obligations
11. Liabilities
12. Transparency
12. Security & Pseudonymization
Data Breach & Notification
Right To Be Forgotten
Right To Portability
Consent & Right To Withdraw
Notice
Data Transfer
DPIA
Supply Chain Obligations
Liabilities
Transparency
12 Key Privacy Indicators (KPIs)
13. Cloud-Focused Privacy
• Privacy 12 (KPI):
1. Security & Pseudonymization
2. Data Breach & Notification
3. Right To Be Forgotten
4. Right To Portability
5. Consent & Right To Withdraw
6. Notice
7. Profiling & User Behavior
8. Data Transfer
9. DPIA
10.Supply Chain Obligations
11.Liabilities
12.Transparency
17. Cloud-Focused Privacy
• Privacy 12 (KPI):
1. Security & Pseudonymization
2. Data Breach & Notification
3. Right To Be Forgotten
4. Right To Portability
5. Consent & Right To Withdraw
6. Notice
7. Profiling & User Behavior
8. Data Transfer
9. DPIA
10.Supply Chain Obligations
11.Liabilities
12.Transparency
18. Article/Provision
Detail the terms and requirements
for data protection in “legalese”
language that R&D will struggle to
translate to clear guidelines
Technical Requirements
What/How/Where: Detailed
requirements for R&D to follow in order
to comply with regulations
CCPA’s 21 Legal Provisions
99 GDPR Articles
~110 Technical
Requirements
Product-Focused Privacy
Product Privacy
Framework is built
together with the
organizations’ Privacy
Counsel!
21. Benefits of Product Privacy Framework
Clear requirements R&D can understand and implement
Easy to create the product’s gap analysis
Easy to create R&D implementation plan
Measurable. KPIs shared with senior management:
Ensures trust in our customers
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Product A
Product B
Product C
Product D
GDPR Technical Framework Maturity Level
3
2
1
2
3
2
Right to be forgotten
Portability
Notice
Liabilities
Trasparency
Secuirty
Product A – Maturity By Category
Desired Actual
24. PAGE
A vulnerability discovered by
Pentera Labs research
XSS in Azure
Functions
Pentera Labs™ Series
Uriel Gabay
Senior Security Researcher
22/03/2023
25. PAGE
What if the cloud provider is vulnerable to XSS?
XSS is the ability to inject JavaScript code into another origin’s context.
Enables an attacker to:
• Read cookies*
• Read HTML objects
• Read browser storage/DB for this website
• Send request on-behalf of infected user
• Phishing
26
Pentera Labs™ Series
27. PAGE
Azure Functions - The attack surface
What is Azure Functions
Part of the Azure services, a FaaS (Function-as-a-Service)
28
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
28. PAGE
Azure Functions - The attack surface
What is Azure Functions
Part of the Azure services, a FaaS (Function-as-a-Service)
Goal
Infrastructure for building event-driven applications
Popularity
“Azure is in the top 3 most popular cloud service providers with 21% market share”
According to Synergy research group
29
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
29. PAGE
Browser security concepts explained
What is Origin?
Defined as: protocol://domain:port
Example:
http://google.com:80 != http://google.com:81
30
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
30. PAGE
Browser security concepts explained
Sandboxing
Isolation of the data
related to one origin
from another.
31
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
ATTACKER.CO
M
BANK.COM
CLIENT
Bank.com’s Cookies
31. PAGE
Browser security concepts explained
32
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
ATTACKER.CO
M
BANK.COM
CLIENT
SOP (Same Origin Policy)
• A policy that forced by the browser.It prevents one
origin to send to another a request directly.
• This policy forced when the request is “unique”,
enabled by default.
1. Client interacts with back.com
2. Bank.com send to the client a request –
send a POST with JSON to api.bank.com
3. Client (browser) notice that bank.com isn’t
the same origin as api.bank.com
4. Client send a preflight request to api-bank.com
5. In the preflight the Client can understand if api-
bank.com allows a request from bank.com.
Preflight
example
script
API-BANK.COM
32. PAGE
Browser security concepts explained
33
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
ATTACKER.CO
M
BANK.COM
CLIENT
CORS (Cross-Origin Resource Sharing)
It’s the policy that defines which origins has the
permissions to send unique requests.
API-BANK.COM
Preflight example script
Access-Control-Allow-Origin: api-bank.com
Access-Control-Allow-Methods: POST, PUT, OPTIONS
Preflight example script
CORS policy
33. PAGE
XSS vulnerabilities explained
3 types of XSS vulnerabilities
34
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
PERSISTENCE DOM REFLECTED
01 02 03
34. PAGE
2
1
Reflected XSS example
35
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
SOMEWEBSITE.CO
M
CLIENT
Server-side code
3
Example of reflected XSS:
35. PAGE
Reflective XSS vulnerability in Azure Functions
Description
The reflected XSS vulnerability found in functions.azure.com enables an attacker to run
JavaScript code in the context of legit Azure website.
36
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
36. PAGE
Reflective XSS vulnerability in Azure Functions
Vulnerability discovery process
37
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
37. PAGE
Reflective XSS vulnerability in Azure Functions
Vulnerability discovery process
38
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
38. PAGE
Reflective XSS vulnerability in Azure Functions
Vulnerability discovery process
39
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
39. PAGE
Reflective XSS vulnerability in Azure Functions
Vulnerability discovery process
40
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
Found
suspicious
HTTP
request
A url parameter
returns from
server
Response content-type is
text/html (A prerequisite
for XSS)
XSS
40. PAGE
Research questions
Two limitations of a working XSS:
• SOP is enabled by defualt due to
application/json content type
• Redirect from “attacker’s origin” ’s context to
functions.azure.com origin
Solution
Change the request format to application/x-
www-form-urlencoded content-type
41
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
43. PAGE
Mitigations
Using network proxy or security browser addon:
1. Detect malicious content (JavaScript) been loaded
2. Detect communications to malicious domains
* This is very difficult to detect because its very hard to separate legit actions
from malicious actions
44
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
45. PAGE
Check out our blog
for a more detailed explanation of the vulnerability
or sign up for the Pentera Labs Newsletter at:
pentera.io/pentera-labs
Contact us
• uriel.gabay@pentera.io
46
62. State Law
“Healthcare facilities must retain medical records for a minimum of
five years beyond the date the patient was last seen”
Oklahoma Dept. of Health Reg. Ch. 13, Section 13.13A
67. Interviews
Interview the following people to get a sense of what’s critical to the organization
1. Executives
2. Team leaders
3. Key persons
4. DevOps & IT