Do you have 𝘀𝗲𝗿𝘃𝗶𝗰𝗲 𝗽𝗿𝗶𝗻𝗰𝗶𝗽𝗮𝗹𝘀 using "Policy.ReadWrite.
ConditionalAccess" in 𝗘𝗻𝘁𝗿𝗮 𝗜𝗗? Then you might be vulnerable to your 𝗲𝗻𝘁𝗶𝗿𝗲 𝘁𝗲𝗻𝗮𝗻𝘁 being 𝗿𝗮𝗻𝘀𝗼𝗺𝘄𝗮𝗿𝗲𝗱 😬

Here is why 🧵👇 🔎 𝗕𝗮𝗰𝗸𝗴𝗿𝗼𝘂𝗻𝗱
"Policy.ReadWrite.ConditionalAccess" has full control over Conditional Access Policies (CAPs).

(2/4)graphpermissions.merill.net/permission/Pol…

How a simple web-app assessment lead to complete #AzureAd tenant takeover 🤯
🧵 👇
#Azure #AzureKubernetesService #aks #Kubernetes #KubernetesSecurity #k8s #bugbounty #bugbountytips #bugbountytip #DevSecOps 1. Poorly-designed file upload functionality lead to RCE
2. Turned out the app was running in a container managed by #AzureKubernetesService (#AKS)
3. #Container was mounting a service account with permissions to deploy #pods in the same namespace

Mounting a #Kubernetes service account to a pod with permissions to deploy other pods implies that if your app has RCE, a threat actor will be able to infect other Services in the cluster (yes, even if you use strict PSPs) #KubernetesSecurity #k8s #aks #gke #eks
#DevSecOps
🧵 👇 Background:
▪︎ A Service in #k8s is an object that balances HTTP requests between pods belonging to that Service
▪︎ A Service identifies its pods through a set of labels (e.g. "fancy-app: prod", "db: users", etc)