Exploit SQL Injection in Azure Function App | Walkthrough | Pwned Labs скачать в хорошем качестве

Exploit SQL Injection in Azure Function App | Walkthrough | Pwned Labs

In this lab guide, we walk through a real-world Azure attack chain that starts with a compromised Entra ID user and escalates into serverless exploitation via SQL injection in an Azure Function App. You’ll follow a red team–focused path that demonstrates how cloud-native services can be abused just like traditional web apps, and how a single vulnerability can cascade into broader Azure access when managed identities are involved. ⚔️ Attack Highlights Kudu enumeration and environment variable discovery Managed identity token theft via IMDS AzureHound JWT authentication ARM API abuse without traditional credentials Function App endpoint discovery MSSQL WAITFOR DELAY–based SQL injection Automated table name extraction via timing attacks 🛡️ Defense & Mitigations We close out the lab by covering secure coding practices for Azure Functions, including: Parameterized SQL queries Input validation and sanitization Secure identity and permission design #PwnedLabs #AzureSecurity #CloudRedTeam #AzureFunctions #SQLInjection #ManagedIdentity #EntraID #CloudPentesting #ServerlessSecurity #OffensiveSecurity 00:00 - Start 01:30 - Enumeration 08:00 - Kudu access 22:00 - SQL time based blind Injection