CAWASP Review

The market for cloud computing continues to grow worldwide, businesses are increasingly adopting theses solutions as they are affordable, flexible and scalable.
As security professionals, we have to keep up with the transformations of information technology. I didn’t want this to be a knowledge gap for me. So I decided I would learn about Azure security. The question is: Where do I start? (Spoiler alert: It’s not by reading Microsoft’s documentation).

My options were either a Microsoft’s certification, like AZ-500, which I don’t like because the exam is multiple choice and I prefer to learn hands-on. I also looked at Breaching the Cloud by Beau Bullock and Attacking and Defending Azure & M365 by Xintra, which seem to have great content, but are a bit expensive and don’t include a practical exam that demonstrate the acquired expertise, maybe I’ll consider enrolling in the future. That left me with Cloud Breach and Altered Security. I chose the latter option because my friends who had already enrolled in some of their courses gave positive feedback about the labs.

What is CAWASP?

Altered Security currently has 3 cloud based certifications:

• Certified Azure Web Application Security Professional (CAWASP)
• Certified Azure Red Team Professional (CARTP)
• Certified Azure Red Team Expert (CARTE).

The CARTP focuses more on red teaming: getting initial access, moving laterally and escalation of privileges within Azure Entra ID. On the other hand, CAWASP is more focused on the exploitation of Azure services integrated in web applications, like app registrations, function apps, key vaults, storage accounts, databases etc. Finally, for those with more experience, there’s CARTE, which consolidates everything into one package and adds a layer of evasion on top of it.

My current job role involves a lot of web application testing, so i thought the CAWASP certification would be more appropriate and have further carry over to my day-to-day functions.

In this course you’ll get a very good overview of the most common Azure Services.

You’ll learn:

• Applications Services
  • App Services
  • Function Apps
  • API Management
• Identity Services for Applications
  • App Registrations
  • Enterprise Apps
• Access Control
  • RBAC (Azure role-based access controls)
  • ABAC (Attribute Based Access Control)
  • Conditional Access Policies
• Authentication and Authorization
  • OAuth and OIDC
• Storage
  • Containers
  • Blobs
  • Files Shares
  • Tables
• Databases
  • CosmosDB
  • Azure SQL
• WAF
• Microsoft Graph API
• Microsoft Defender for Cloud

Pricing & Material

There are 3 purchase options for CAWASP: 30, 60 and 90 days lab access. These go for $299, $449 and $699, respectively. The materials you get is the same with these options, the only thing that changes is the lab access period.

The materials include:

• Video tutorials featuring Chirag Savla, where he explains and demonstrates the concepts
• Slides from videos in PDF format
• PowerShell code snippets used throughout the videos
• And most importantly, access to hands-on labs where you can practice what you’ve learned

Course Review

Chirag Savla starts the course by providing an overview of Azure fundamentals. From there he delves deeper into every concept, providing clear explanations on how each component works. After that, he demonstrates the exploitation of each service and how you can combine those vulnerabilities to achieve greater impact.
I think it’s important to note that Chirag has a very strong accent, which may make his explanations hard to understand, but you’ll have the course slides that you can review.
He’ll teach you how to do reconnaissance to discover Azure services, get initial access on a web application, further enumerate Azure components, move laterally and escalate privileges.

In my opinion, the initial foothold for the web applications in the demos was overly simplistic and unrealistic. The LFI, SSTI and file uploads RCE were fine, but the command injections were out of control. A command injection in a search functionality, really? Somebody was programming with a 🔨.
However, the focus of the course is not web application testing, it’s Azure security, so I don’t think it’s a big deal.

The course syllabus states that you don’t need any prior knowledge of Azure, and you don’t. Nonetheless, I would still recommend you to learn some Azure basic concepts and a bit of powershell. John Savill has a very comprehensive Youtube channel where he explains Azure concepts. You can check this playlist for the Azure fundamentals and this playlist for the powershell basics.

Labs

For the Lab access you receive an OpenVPN configuration file and credentials for a Windows Virtual Machine that is deployed for you and has access to the Azure environment. You’ll have access to the Attack Labs, which is an environment with 2 attack chains that are showcased in the course, and also to the Practice Labs, where you can deploy separate challenges that are demonstrated in the videos as well. This VM will have every tool needed to complete these challenges.

Personally I felt the connection to the VM was a bit slow, probably due to my screen resolution. You can always use your own VM and connect directly to the VPN.

To make the VPN full tunnel, you just need to add this line to the OpenVPN config file:

redirect-gateway def1

I had 2 issues with the labs. One of the Practice Labs challenge had a deployment problem and I was never able to complete it. The other issue was in the Attack Labs, where one configuration file had outdated credentials. This problem was quickly solved by contacting their support in the discord channel.

Apart from that, the labs were good and the environment architecture was well designed. The service misconfigurations in the Attack Labs were realist and fun to exploit.
The 30 days of lab access package was enough for me, but I really immersed myself during that month and spent as much time as I could in the labs. If you are a very busy person, might be better to consider the 60 day package.

Exam

The exam consists of a 24 hour challenge in which you have to compromise Azure services and get the final flag. After that, you have 48 hours to write a comprehensive report detailing every step. You can re-launch the exam lab and your exam VM. The VM comes completely vanilla, with nothing installed, so if you reset the lab, all the tools you have installed will ride off into the sunset.

For the most part, the Exam is pretty straight forwarded, there are no rabbit holes. However, I had problems with a minor but fulcral detail that is not taught in the course and is needed to pass the exam. Maybe it’s Altered’s way of testing your research capabilities.

Conclusion

This certification was a lot of fun. For the price, the value you get in this course is hard to beat. Azure is a whole new world of features that are super fun to exploit. Moreover, you’re learning how to abuse features, that means they are not patchable and will reappear again and again.

I tried to explore every attack vector in different ways and with different tools. I recommend you to do the same. Research to find some tools and put them in action in the labs. Try do it from Windows and from Linux. If something doesn’t work, troubleshoot it, figure out why and find a solution. That’s how I learn.

If you’re looking to get started with Azure and want to learn about real life attack vectors from the web application side of things, I’d definitely recommend giving this course a try.

You can get it from here.