Low Code High Risk: Enterprise Domination via Low Code Abuse

students those are the apps that business users are building themselves and we're going to see just how far we can take it to really get uh where we want to be so uh a quick note about myself I uh lead in an OS group dedicated to low code no code so that's like the top 10 uh four local no code apps if you're interested check it out we have over 200 people that are part of this group already um I did a company called zenity which is focused on on this area uh we've been we've been around for something like two years and I've actually been focused on security for low code for about four

years now started off with Microsoft I was part of the T I was part of a team now that created a bunch of new products that are around like Defender 4X so Defender for apis Defenders for iot and others and I also write in that creating if you're interested in this in in this topic there's a bunch more uh going to Shell more than today so reach out or or shoot me an email or something okay a quick disclaimer uh of course even though this talk is given from an attacker's perspective the idea the kind of local code is is awesome this thing is really and we're gonna say it in a moment local is really putting power in

the hands of business users which are of course the people that are uh kind of the best to move the business forward and we're gonna see uh just how kind of I mean what what those people are able to actually create um but it's important to do it in a secure way and that's why we're giving this talk so here's what we're going to do this is a quick uh outline here we're going to start by making sure that we all uh that we're all on the same page on what local.com is just to understand it attacks that were observed in the wild uh we'll start off with living off the land attacks you'll find that uh low

code apps they have compute they run on somebody else's Cloud they're really difficult to monitor which makes them the perfect thing uh for for living of the land attacks we'll also see uh persistency mechanism and we're going to follow an apt group that actually uh used power automate specifically as a persistency mechanism and then we're going to see this predictable misconfigurations just think like open S3 buckets and how long we've tried to solve that problem so we're going to see this pop up again here and of course we'll drop it off with uh a how how do you how you can protect your organization when you when you go home but also a few tools that you can play

around with to just kind of uh get a feeling of it so let's start with low code the number one slide that's kind of a swati's presentation the most important thing you're gonna see today is the next slide so uh here it is this is a chart that's representing a single Fortune 500 organization and the number of applications that were built by their business users using low code no code of course this is anonymized and we are seeing this across multiple organizations and the numbers could vary but when you talk about business users building applications or in other words it's people are calling this citizen development this is taking off in a way that's really unprecedented to what we

know from kind of professional application development I mean how many applications are built in your org every year a hundred a thousand if you're huge not uh you won't find five five thousand or ten thousand applications that were that were built by professional developers that means that everything that relies on manual operations won't work Security reviews won't work so add modeling won't work just kind of vulnerability management if you need to take to take a look at all of these different applications this won't work we need a new approach here and that's why this is important you're also seeing that this chart goes up very rapidly and this is kind of just with the proliferation of these tools across the

Enterprise where more and more business users becoming aware of it of course not all these of all of these applications are huge many of them are very small you can call them my co-ops but they still have identity they still touch data they can still do operations so they still pose a risk all right so this is essentially trying to capture why local exists right and this is a perennial problem we will never have enough I.T I.T resources to Target everything that the business needs and also I mean we things get lost in translation right when somebody from from the business needs something done and they need to get somebody convinced so they can actually go ahead and build

it things don't work properly and if you if this sounds familiar like this idea of enabling business users if this sounds like a not a new thing well it's not a new thing it's been around since forever if you think about Excel for example that's like the perfect local tool right everybody's using Excel Avenues Excel across my career I've learned a lot of things but Excel is has always been there so and imagine and and think just how many jobs are fully focused on Excel are empowered by Excel what uh what low code is trying to do is basically bring you the next generation of Excel and when you look at child one of the things that's obvious is that the

risks associated with these technologies that are enabling business users they have always been they've also been with us uh since forever so Excel had macros and macros are of course a problem until today and so this uh this is part of a trend and I itd centralization giving more power to the business so the people that actually move the business forward so what people what are people building so let's try and think kind of let's try to understand what are the types of things that these applications can be so they actually they can be whatever whatever people want them to be so a lot of them are these like if this then that automations so you do you take uh for

example every time you get an email you do something every time a file arrives on SharePoint you send it off to your private Google Drive these things are kind of the the number one scenario on top of that you'll find Integrations so one system can talk to another you'll find business applications that are facilitating a specific workflow so for example at Microsoft they built um their marketing team built an application that was that is used to to basically coordinate product launches so everything around product largest is built into this app built by the marketing team you can find all products that are that have been built with low code with professional development teams and of course mobile apps there's a lot

of them um now one thing that you could have at the in the back of your mind right now that would allow you to kind of try and escape this uh this talk unharmed is to think that this doesn't apply to you or that this doesn't apply to your organization uh so I'm sorry to be the one to uh to say this but uh you don't have a choice if you're using any of the top SAS platforms today the top Enterprise SAS platforms low code is being pushed in you don't get a choice nobody asks you if you have Salesforce if you have service now if you have Microsoft they are um in order to make

those platforms more useful to your business users the capabilities the automation the integration the application capabilities are being pushed into those platforms and you will get and you get some of them with the basic license that means that in most organizations it's already there I've actually never seen an organization and when we do this engagement a lot where we go where we go kind of partner with someone and we look at their environment and we try to see what's already there and they're like well yeah nobody's doing citizen development here we're we're a bank or something like that nobody will ever let business users build their own things well reality is different and so I really encourage you

to uh to think of this as something that will happen it's very similar uh kind of in nature to what we to the way that we had to handle a mobile or bring your own device where we had some time we thought that it might not reach the enterprise we were never allow bring your own device in this org well today everybody's doing it right because there's no other way so there's so it's really important for us to understand that this is already something that other business users uh have have the capability to use by the way this is a good thing it's not a bad thing it's it's allowing business users to actually produce more uh more value

to your organizations so a quick recap low code is available in every major organization we just saw this because these platforms are the platforms that hold your business data so imagine your office your Microsoft c65 your Salesforce then by definition it has access to business to business data and it is able to do business operations and also Powers business processes because business users are building it to facilitate their operations it runs as SAS and we all know that that it makes it challenging to to Monitor and to control and as most of us know I mean it's it's pretty underrated by ITN security teams the things that people the business users are building we're used to think about them as like as toys

as something that they use for their own personal use that's really not the reality today and we'll see and and one of the kind of largest things that happened in in the last couple of months of course with the introduction of things like church GPT into low code is that business apps have become even easier to build so today instead of kind of writing a prompt that will give you an answer you can write a prompt that will build an app this is actually available in Microsoft 65 today and so the number of apps of course only gets bigger all right so we we've gone through the kind of intersection one one last thing I want I want all of

us to make sure that we get correctly is this better all right I'm gonna lean in um okay so we went through the Intel but one thing that I want us to make sure is that we understand we have an intuitive understanding of what these applications are and I also want to make sure that you're convinced that everybody can build these applications so let me show you an example and hopefully this will work all right so yeah you probably maybe you'll see something in a moment but while this is working let me let me show what I'm actually building here so we're using slack in my company and there's this annoying thing about slack well if you

mention someone on a public channel uh then if somebody mentions you then they expect you to answer pretty quickly which is I mean this is kind of annoying so um but I've noticed that if you have this small icon next to your name that says that you're on a call then they'll find that they want they won't nudge you so here's the automation every time I get mentioned on slack I'm going to change my status as if I'm on a call so people won't bother me and five minutes later I'm going to change the status back to to free so nobody will will be will be suspicious and so this is this is a small automation that I'm

building and while I'm building it you can see that I'm I'm dragging and dropping I'm choosing I had to choose a specific account on slack that I'm going to use this is run this is this demo is actually uh showing you zapier so it's able to go to the slack API it's uh think about kind of the complexities of this application it needs to subscribe to webhook it needs to reach out to the API afterwards that five minute wait period means that there's some sort of state it needs to it needs to to wait right and you can see that while I'm building this I mean there's nothing sophisticated here and on on the on the

Builder side this takes me about two minutes to build this application and I want you to notice a couple of things one is that in no point in this while building this application do I need to provide access to uh to slack so how does this work right how does zapio connect to my to my slack account we'll see that in a moment and the other thing is think about the sdlc and compare it to what you're saying on screen right there's no sdlc here right I'm just building something and once I click save it will be deployed in production and by the way some platforms also uh auto save so any change that you make is

automatically being pushed and if you think about this as as uh for for a critical process then think about all of the things that you lose by not having an sdlc right there's no review there's no security gates they'll kind of forget about shift left okay so you just saw that I got kind of this little icon there I'm publishing this app that's it it's operational and now I'm kind of demoing that it works so again this was just a couple of minutes but you understand um just how powerful this application is so the number one thing that's important to us is the identity and actually before I created this application I've gone through a very small process which

is called created creating a connection so what is a connection a connection is basically a no of consent flow for slack in this case and you can see the regular of consent flow that's asking me for specific permissions I can choose a bunch of applications these platforms come built in with hundreds of different connectors and once I go through the OS consent flow I get this object created which is called the connection okay what's important about this connection it has this little shell button this is weird it's an oauth I went through an hour slow I granted consent for the appear to act on my behalf and then I can share that consent I can

share that that thing that connection that active connection with other users how does it work okay on one side we have zapier all power automate or any other automation platform this is not picking on a specific Vendo the entire industry is doing the same thing and I'll tell you in a moment why the other side you in the other side you have a rest apis by the way this can also be your on-prem your uh um your Cloud anything okay how does it work well essentially there's what they're doing there is that they are taking the refresh tokens out of the O of consent flow and then they are allowing you to share those refresh

tokens with other users okay think about what this means this is completely breaking the permission model completely breaking the oauth model because this is a user impersonation by Design the application is impersonating the user and you are impersonating the user when you share those connections with other users and so by installing these refresh tokens and then reusing them you are able to a uh kind of bypass any anything that I mean again your own personality in the user but also think about the productivity benefit no more asking for permissions you can build whatever app you'd like with your own permissions as long as you can do it as a user you can build an app that

automates it this is very different from your experience as a professional developer right as a developer you need to ask for permission you you have an application it has a service account or something like that not here I mean you can do it but in many cases you don't now because uh because you've seen the the large the chart of the kind of with so many applications and it's so easy to create those applications then you get a whole bunch of applications and these are just examples from the uh from kind of templates provided by the different vendors the important thing about this is the logos next to the names of these applications why are the logos important

because that means that there's an active connection to each one of these systems so when you have lots of different applications behind each application there is a trail of connections connections that can be shared connections that can be overused and so when you look at each one of these platforms what you'll typically find is some notion of a default environment somewhere where everybody can go into this platform they can create applications automations connections and they can share them with others now this sharing thing is one click away in some platforms in some cases it can be shared with the entire org by default and when I say the entire org I mean everybody for example everybody in your Azure ID

tenant so that include guests by the way or contractors and vendors so when you when you go into one of those platforms again they are basically providing you credential sharing as a service right which bypasses the entire security mechanism think about the stock trying to figure out what's the difference between an application using your refresh token and yourself I mean it's just it's very difficult now of course once we have that then you can see the first attack here which is just kind of privileged escalation this is this is basic so the end result here is that when I have a single account in your org again this can be a guest account as well and I go to each one of those

platforms there's a bunch of connections that are waiting for me to pick them up and use them you'll find FTP connections connecting connections to people's Outlook and teams you'll find uh connections to people's Cloud environment Azure and AWS and gcp so this is this is uh this is a lot now I don't know just using those connections other than just kind of getting those connections and being able to escalate your privileges you can also just use your those connections to actually get what you want so for example here's one answer well built with the with no code uh what you're seeing here is that I'm iterating or so I have a click I click a button

and then I'm iterating over a SharePoint site for each file in that SharePoint site I'm going to encrypt that file using a handy encrypted function provided by the platform right because there are valid business use cases to encrypt files and then I'm going to Simply override the file uh with the with the encrypted version so once over again using this using no code tools and just again think about all of the protections you have in your org targeting ransomware they won't really find this and and we'll go in and we'll talk about uh and and we'll see in a moment how this goes well beyond us here's another example this one is uh I think or in almost every organization

I've worked with I've seen this example in some formal or another uh we've tried to block business users from our users in general to you from using their own personal accounts in a in a work context I mean we're all guilty of that as well right everybody wants their calendar events in their in their personal Gmail there are solutions to do that you can you can use the DLP you can do something on the email server a bunch of things you can do but what if the business user creates an app that on one side connects to their to the corporate email on and on the other side with the separate connections connection connects connects

to their own Gmail account and simply copies the content the content is being copied on the SAS on the SAS or the sus vendors Cloud so no network security Appliance will help you there no monitoring will help you there the only thing you can do is look at the platform itself because it's the only one that's aware that this application even exists now you're seeing here an example of email exfiltration and again this is very common but we've seen this with other things as well so syncing up a Corporate Drive with a with a personal Drive we've seen cases where people by mistake I mean they build an application that other business users are starting

starting to use it's useful and it uses for example an Excel spreadsheet as a database but where is that Excel spreadsheet stored because as easily is you can plug in your corporate account you can plug in your personal account and that's it and the application is is the database behind the application is being stored in your personal account here's the thing that's kind of very non-trivial you can jump to uh actually to people's laptops through these platforms because there's a component of a version of local that's called RPA robotic process automation which is basically about emulating The Mouse and the keyboard the inputs by the user own users on the user's own machine and it's

a type of automation that used that's used for legacy systems that don't have a proper API now again try to distinct imagine a stock analyst trying to distinguish a bot that's doing that and a user that's doing that this is a bot that's running on a user context now these connections allow you to send a payload or in the world of a platform like a task form Cloud to somebody's laptop and run it on somebody's laptop and actually at less Devcon I showed how this exact capabilities by Microsoft can be used to create malware with no code and and bike and with completely trusted The Trusted services and executables this thing is packed into every Windows

11 machine right so if you have Windows 11 open it up search for Power automate you'll find it it's very it's trivial for for an attacker to subscribe to attach the power automate instance you have on your laptop to their own malicious cloud and from then on out they can send payloads to your uh to your machine through trusted channels facilitated by Microsoft so if you're looking for Network iocs this would be Microsoft domains if you're looking for executables this would be Microsoft executables right now again this is not picking on Microsoft this is a problem with this entire space well impersonating the user is kind of the mainstream all right so the one thing that is that one thing we

wanted to do in order to make it easier for you to check kind of your own status and also to play around with this uh is to give you a tool that you can you can work with so this is a tool that's available right now you can check it out on GitHub basically it's it's very simple it's using the zpl uh unofficial API to provide you with all of the connections that are available to a specific user so you give it a access to a specific user and it will show you all of the connections that this user can use and who's and who who created those connections and where they where are they leading we are working on similar

tools for other platforms as well so if you're interested uh start the repo you'll get the notifications all right so the next thing I want to do is a bit more sophisticated one of the up until now we will focused on on a scenario where these connections already exist but what if I want to entice the user to make user uh create those connections for us essentially here's the idea I'm going to build an application that's useful inside an org let's say I have I I have an account for somebody in inside and again could be a guest and then I want to get to the I don't know to the CEO I'm going to

create an application that the CEO would like to use and then once the application is using uh is running I can do whatever I want with the connections provided to me right and then I I will alongside doing the the thing that that is expected of this application to do I'm just going to steal the account so I'm going to continue to describe it while I while I do it so again you'll get a notion of just how easy it is but essentially what uh this thing is not new right an application uh when a user logs into an application the application can do whatever whatever it wants with with the permissions that the user has

provided right this is not new however this is the first time that somebody from HR can do it that a guest can do it that can anybody in the old can do it and more than that when these applications run they are not uh they are not telling the user hey here's the list of permissions we're going to use on your behalf they're telling them hey give me a connection to Outlook what do you think are the permissions behind that connection everything in Outlook right everything in teams everything in everywhere else so this specific application that I'm building right now I just took off a a random application from the marketplace this is an application for an out of office to

facilitate out of office so it will auto decline calendar events for you and so it needs access to to your email so what I'm doing here right now is just typing a single line of code that will use this connection to send an email on the person's behalf to my account saying I've been pawned now of course I've could I could have done lots of other things but the The crucial piece here is that there's no way for the user to know what I'm actually doing with their account because they're providing me with a connection which essentially is an asterisk of all of the permissions for that specific for that specific application now I've created this

application I'm publishing it you know it's difficult to see but if you can see the the URL what you'll spot is that this application is going to be hosted on a Microsoft domain so again this is creating an internal phishing campaign where all I need to do in order to get an application to get somebody's account is to get them to click on a link that is facilitated by Microsoft to log in with their own corporate account which is something they will be used to doing because they're using these kind of applications and then I will do whatever whatever I want with their connection all right then you can see that that once the once the user connects to it I

get the email that I've been pawned now one of the now the number one thing that is that the only constraint here in this entire kind of internal phishing campaign is this window when you when a user uses the app they get prompted with this window that is telling them hey this application is going to use these connections again notice that this is not the O of consent flow you're not seeing the permissions that I'm asking for you're just seeing the services all right so if I get rid of this of this window if this window doesn't exist I've reached a point where in order to create an internal where I can create an internal phishing campaign that requires

the user to click a link provided by Microsoft and that's it okay so this would be very bad right this shouldn't happen unfortunately it's an option provided by the platform so uh here's a there's actually a valid reason to do this so because business users could be used to using those applications and then you don't want to create headers for them to actually do it so some organizations are choosing to remove this this consent window which is of course very dangerous if your Microsoft job I strongly encourage you to make sure that this flag is off all right so we're done with the living of the land stuff uh the next thing I want to show you is persistency

and this is actually pretty interesting because what we're going to do is we're going to follow through footsteps of an apt group that used power automate Microsoft automation feature inside of office to remember persistent within an organization and basically what happened there the name of the of the organization wasn't disclosed but what happened there is that uh there were a few different malware families in in this organization so they knew they were breached they were looking for more infections and the investigative team took took about six months to find that this automation was actually active because of course they weren't looking inside of low code and what is actually Automation and and what happened is that

the attackers they were able to gain access to an admins account and then I mean the net logical step is typically kind of installing malware moving laterally through the network right so they didn't do all of that instead they created a single automation this automation ran on a schedule and every day it used the e-discovery feature form office to find secrets and pii inside of the organization and just send it off to random endpoint to a specific exploitation endpoint this simple automation was there for six months without everybody noticing anybody noticing because again how would you know this you don't have logs for this you don't know this is impersonating this is the person is in your user and

this is also not something you you would typically expect so let's try to rebuild this on our own here's a very kind of rudimentary version on record on recurrence I'm going to go to a specific SharePoint site I'm going to Loop through all of that uh the SharePoint site I'm going to encrypt each and every file uh dump them to a random HTTP endpoint and then tweet about it because why not I mean nobody will catch me okay so this is the this is actually what the attacker did but let's let's take it up uh kind of a few a few steps forward one thing that I want to to do is I want to have the capability to

actually run this whenever I want and I want this capability to be detached from the fact they still have a user to that organization so instead of doing this on a schedule I can create an HTTP webhook the nhtp endpoint that would allow you that every time I hit that endpoint this automation will run and these endpoints typically use some sort of a hardcoded string as their secret so you can connect to it for manual we don't have to be authenticated so again this is very this is very easy and this is a snapshot from different platform specifically okay so you see where I'm going with this I'm I'm going to try and create a

more sophisticated persistency mechanism so here's a laundry list of the all of the things that I would like to do so uh for for full persistency I would like to have the ability to run code remotely that's that's obvious I'd like to be able to run arbitrary pillows not just one payload that like you've seen a moment ago I'd like to be able to maintain access even if a user even if the user is revoked or deleted or whatever of course avoid detection avoid attribution and I want to leave no logs behind the question is well can I can I do this with with low code okay so this is the first version we've already seen this this is a this is

basically persistent a persistency mechanism this HTTP endpoint let's see what it covers and what it does doesn't cover so it does cover uh remote execution right I executed automotively this is a single payload so we we don't get arbitrary payloads uh I can maintain access you can see the well you might be able to see the URL with the hard-coded secretail it allows me to to actually go to this uh to this input and Trigger it avoiding detection this is somebody else's Cloud you don't get logs on this endpoint I mean unless you're very sophisticated and try to do something kind of uh well not not out of the box anyway avoiding attribution is easy because you

can just call this Ruto I mean nobody's blocking you there's nothing protecting there's typically nothing sophisticated product in this endpoint and no logs well not at all these platforms can generate a whole bunch of logs for each application for which uh for each execution of those automations this is actually a problem in and of itself because the the platforms can log actually the data that goes through these automations so let's see if we could do something better here's a second attempt so instead of having a an HTTP endpoint that's going to use one payload I'm just I I've created a bunch of payloads here you can see League SharePoint uh ransomware SharePoint executor SQL procedure

somewhere so you get a point I can do whatever I want here with this um but again I didn't really solve anything not the arbitrary pillows and not the logs so let's try and see how we can solve everything we wanted Now The crucial piece in order to do this would be something called uh the minute something which is the management features of those local platforms so if you have a local if you are trying to manage a local platform what would be the best technology for you to do it with well low code right so you can build low code applications to manage the local platforms themselves which would require this whole set of this this interface

which is about management of these of these applications so specifically here I'm going to use the power automate management connector which allows me to create automations delete automations execute automations Etc so here's a new tool I'm going to introduce to you today what it's going to do is install a back door within an organization uh within the power automate instance if they're using Microsoft which is kind of most organizations and it will allow you to basically send every payload imaginable executed and then leave no logs behind here's how it works it has a single HTTP endpoint which is it installs behind the HTTP endpoint I'm going to uh to that expand point I'm going to send

the definition of the automation I'd like to build so here's an automation here's a just like a Json file I need to send with all of the a lot of the details about this automation what this tool is actually going to do is it's going to create the automation run the Automation and then delete the automation along with all of the logs of that specific automation right it's going to do this one after the other of course the tool also provide some convenience mechanisms for you so we will handle arrows and a whole bunch of things that you don't need to worry about it so this is the final kind of automation that this tool will install

um on your Target and here's a kind of nice python script around it because well we don't hackers or red emails we usually prefer code to uh to login dock so you can use this again this is what what it does what what I just uh which is just explained it also allows you to continuously iterate through those connections those existing connections so if you'd like to use one of them you can do it now of course the the idea behind uh behind this kind of uh behind this kind of project is just to give you the tools so you can show inside of the organization just how whiskey this thing is and and try to measure whether your

defenses will will help you here so this is a tool to help you calibrate your defenses and also kind of get the um the Mind show that you need to invest in this space all right so in terms of our laundry list remote execution will of course arbitrary payload I can send whatever automation I'd like here so this is everything that can be done with power automate but trust me that it's a pretty powerful uh platform you can maintain access of course this is an HTTP endpoint avoid detection and contribution we've talked about it and logs the main problem here is that once I delete the automation the logs get deleted as well so that leaves that

leaves it at that okay so we've seen how and again this is this went far enough found beyond what the ipt Corpus actually did but this was nothing sophisticated right um everything was kind of very basic all right so the last type of attacks I'd like to do uh to show you today is attacks that require nothing uh from the get-go because everything I've shared up until now acquired some sort of initial access into an Enterprise some account could be a guest account could be a low privilege account but it requires something now what can I do with no access at all so this is the world of kind of uh of misconfiguration and the number one

thing you can think of with which I talked about at the beginning of this talk was the open S3 bucket or AWS which we've tried to solve for many years now so AWS is actually this year produced some capabilities that are actually helping with this but even if the default is fine if the default is not sharing the essay bucket with everybody people can still make mistakes right so we're going to see how this pops up again in low code let's start with Microsoft Microsoft has some as an application a type of application a type of local applications called Power folders or power Pages this is a local application that is uh that with the intention of

being available to everybody on the internet this is simply a website and you use this for example for contractors that are arriving physically to your uh into your into your own goal people that are outside of your organization they can register they can view resources so some resources in these websites are for administrators only for example but some of them are for everyone and so essentially this is a website it has a managed SQL Server behind the scenes wrapped with an API and so this uh and one of the key features about and this is how it looks like it's like a very rudimentary website one of the case features that is application that is a

type of applications create for you is an API endpoint you can spot it here portal replace portal with your own portal name this API endpoint is always created for your products and it allows you to use the uh basically rest API to query everything behind behind the application of course you should be you should need to be authenticated right in order to use this this API however there are cases where you want data to be available to enormous users so users just enter the website for the first time you need them to be able to iron query images or something so this needs to be a possibility and so this endpoint is available to Anonymous users as well

all right about a year and a half ago the team at up God I discovered that the default setting for power portal was for everything in the database to be available through this endpoint to enormous users everything everything that is kind of administrative resources everything and this was the case for several years by the way uh kind of I'm not sure but I'm not sure I'm not sure that this is the case but about six months later Microsoft did a rebranding of uh Power portals to power Pages uh with with a high with a high push on security and they actually have done some work uh pretty quickly to change the default here and to help customers

identify these configurations but still of course people make mistakes so one of the things we wanted to to see uh is how many of these mistakes can we find and so uh here's our goal we're going to we will try to find misconfigurations misconfigure portal that expel that expose these endpoints and this is a real example of a request of the uh of kind of response that you get when you query this endpoint you can see that this is basically a list of tables that I can query default has nothing interesting entity forms that is just well uh phone submissions are being saved but uh Global variables is an interesting one right and this is a real

example from a larger Financial financial services company in the US um here's what you get from Global variables you get authentication tokens uh better tokens to an authentication to to Azure API kalanches to Azure and of course this again available to every organization this was of course to every kind of uh to everybody that requires the endpoint this was of course disclosed to the disclose and fixed um Now The crucial so we can see that there's a misconfiguration here the other thing we need to see is I mean how do you find these things how do you find these misconfigured portals the problem is that it's very easy to find them because they are all in different

subdomains in in the same Microsoft domain so just kind of a very basic sub-domain enumeration because this is Microsoft I'm going to use Bing yeah here's a quick subdominal numeration enumeration for you you can see how many photos there are with this kind of uh that are hosted on this platform so again this is a a way for this is a there's an easy way for a hacker to iterate through all of those different portals and to scan them for this misconfiguration it's very rudimentary and when when we did something like that in order to find all of the different vulnerable applications and then disclose them to the vendors we found a whole bunch of information you

can see some some of some of the types of the data we found here but there's more information in this link of course we reached out to uh to everybody that was infected okay um let me show you one another example so here's an example with zapier um zapier has this Vapor runs automations but these automations are stateless stateless in nature so you don't have any state that you can maintain if you want state if you need State inside of your automation there's a service they have called storage by zapio it's basically a key value storage okay but the problem is that the secret behind it is a good that's a kind of according to

recommendation it's a good it's a good that well the key that you need to provide for this storage is is a is a random good however when we looked at the actual docs of the API what you'll see here is the in the examples there are secrets that are definitely not Goods right they are definitely or not random they're definitely not strong enough and so we figure that well what the heck let's try let's try and see whether we can find keys that are not these random goods and bear in mind the only thing you need to do in all the query this API again is to have that key you don't need to be authenticated

okay so let's just try for example one two three four five we tried it and of course it worked um so what we had there is so you can see I I have a example so I'll show them here's the message where uh where the secret is is a is incorrect so you get the secret must be a valid uuid4 okay here's the message when it's correct just a bunch of data so we've got a bunch of information there again authentication tokens API Keys emails we simply use an enumeration attack we just went through a list of common passwords and iterated through them and actually when we went to zapier with this and talked to them about it

what actually happened was that they didn't have they initially didn't have any verification of the yoyo that that the secret is actually a ue4 instead they just told the user hey it's it's I mean it's your responsibility right please enter a secret please enter a good password and so people used one two three four five like the docs say or they used password password or whatever they used and so this this and this was the case for several years until someone find it they told it to they told zapier about it and zapier's solution was to to deal with every new secret out there so today if you use this this platform this feature you have to use uid4 well but

what about old passwords these are still there and by the way they are still there today so in some cases people have stopped using them but this is kind of just a cleanup that is difficult to actually accomplish and so this is an active problem all right here's a here's a summary of what we've seen so far and uh I have just one other thing to share with you today and so we've seen that low code is a big thing and it's a big thing in every organization and I strongly encourage you don't get don't don't go into the place where you think it's it might not be your problem because you'll end up exactly where we ended up with bring

your own devices solving it a few years too late um it's vastly underrated by security teams and we actually don't have the right Tools in in our tool set to deal with this because we don't have the monitoring capabilities there's nowhere still see there's no way to do this manually business users are not security Savvy no should they there's a huge challenge for us to address here and we need to be proactive about it attackers are already taken advantage of this we've seen a bunch of examples of leaving of the land attacks because the because these platforms operate as credential like credential sharing is a service they are basically the perfect place for a hacker to be it and the

permissions you need in order to gain access to this doctor Platforms in organizations are pretty low uh you've seen uh hiding inside of those platforms persistency mechanisms again ipts have already have already used this you've seen predictable misconfiguration this is nothing new we've seen this again and again with every important platform this is just another one and note that this this is always about the platform saying that uh that the choices are up to the user the platform has created a secure platform but the user has to choose a good password the user has to make shows to choose the right permissions for their apis of course when it's easy to make mistakes we make mistakes

um and we you've seen a couple of tools that I've shared here today one is upgrades that allows you to identify these overshot credentials in zpl the other one is installing the backdoor in Microsoft 365 as you can play around with I also encourage you if you're interested check out the check out the Google for no code malware you'll find a tool that allows you to use LPA as basically as a malware for Windows 11. and now the last thing I'm going to finish with is actually defense so how do what is the best way for us to approach it so how do we move forward the number one okay so there are a bunch

of recommendations here but let me kind of narrow it down for you one thing that is pretty obvious is that if you don't know what you need to protect you won't be able to protect it so I I know it's I know it's uh kind of it's a difficult thing to say but we need to inventory those applications we need to know who builds them we need to be able to have logs when something happens we need to be able to actually investigate it right this this requires work we need to walk with the teams that are building those platforms managing those platforms search for them within the your organizations you'll find them you need we need to be part of the

conversation for local and one other thing to say about that is that these people they are I mean at least the people that are managing those platforms they are aware of the risks and they are afraid they're afraid because they're alone and they don't have the security teams with them to guide them in that process so be there to help them build it in a secure way and they will appreciate it because they will be able to use the platform kind of more robustly review those configurations inside of those platforms these platforms are creating HTTP endpoint on your behalf they are create they are exposing business data you need to be able to control this there are two specific

configurations that I've shared in this talk that I strongly encourage you to look at one is about uh connector usage just kind of uh and and those open those um sorry those open endpoint all data and storage and the other is a bypass consent flow for Microsoft check out this one it's really important um the number one resource that would help you if you want to be the champion of kind of low code security within your organization is the OS Top 10. This is a project that is dedicated to local no code apps and the types of problems that happen with build business users are building those apps this is different from the traditional OS top 10 it's focused on

business logic what these applications are actually doing and it will give you concrete examples that will found across the industry of problems that that that were found and also a language you can share with your business users and with your leaders to push this forward that's everything I had thank you very much [Music] foreign

you can route those logs to a storage account that is separate and then if the automation gets deleted the logs won't get deleted but it requires an action from your side an administrative action it doesn't come with the vanilla configuration yes only if you use a connector that is underlying under the surface using the graph API and then the new graph API login capabilities might help you but no all of the kind of Power Platform API that are that are being used here they are not logged again not by default yes

um again not by default if you want this to be part of your own kind of configuration of your if you want your stock to be able to monitor this you need to be active to be proactive