Join Us:
https://www.linkedin.com
/company/application-
security-virtual-meetups
QR Link:

Data Privacy in Our On-Prem and Cloud Products
Shlomi Ben-Hur March 2023
That’s
Me

Thank You

Discussion Topics
• Privacy – Key Terms & Concepts
• Cloud-Focused Privacy
• Product-Focused Privacy

Why is Privacy SOOO Important??
MONEY!!!, Yes Money, as in.. and plenty of it
Go to: https://www.enforcementtracker.com/

Privacy – Key Terms & Concepts
• GDPR – General Data Protection Regulation
• CPRA – California Privacy Rights Act  Formerly CCPA

Privacy – Key Terms & Concepts
• Data Subject:
“The identified or identifiable living individual to whom
personal data relates.”

Privacy – Key Terms & Concepts
• PII – Personally Identifiable Information:
“Any information that relates to an identified or
identifiable living individual. Different pieces of
information, which collected together can lead to the
identification of a particular person, also constitute
personal data.”

Privacy – Key Terms & Concepts
• Data Controller:
“The natural or legal person, public authority, agency or
other body which, alone or jointly with others,
determines the purposes and means of the processing
of personal data.”

Privacy – Key Terms & Concepts
• Data Processor:
“A natural or legal person, public authority, agency or
other body which processes personal data on behalf of
the controller and under their authority. In doing so,
they serve the controller's interests rather than their own.”

Privacy – Key Terms & Concepts
• What’s GDPR & CPRA are all about:
• From OWASP Top10..  To Privacy Top 12 (KPI):
1. Security & Pseudonymization
2. Data Breach & Notification
3. Right To Be Forgotten
4. Right To Portability
5. Consent & Right To Withdraw
6. Notice
7. Profiling & User Behavior
8. Data Transfer
9. DPIA
10. Supply Chain Obligations
11. Liabilities
12. Transparency

Security & Pseudonymization
Data Breach & Notification
Right To Be Forgotten
Right To Portability
Consent & Right To Withdraw
Notice
Data Transfer
DPIA
Supply Chain Obligations
Liabilities
Transparency
12 Key Privacy Indicators (KPIs)

Cloud-Focused Privacy
• Privacy 12 (KPI):
1. Security & Pseudonymization
2. Data Breach & Notification
3. Right To Be Forgotten
4. Right To Portability
5. Consent & Right To Withdraw
6. Notice
7. Profiling & User Behavior
8. Data Transfer
9. DPIA
10.Supply Chain Obligations
11.Liabilities
12.Transparency

Cloud-Focused Privacy
Image source: Lightspin

Cloud-Focused Privacy
Image source: Cyera
Sensitive Data Discovery and classification
Detect and Respond to Data Privacy Issues

Cloud-Focused Privacy
Image source:

Cloud-Focused Privacy
• Privacy 12 (KPI):
1. Security & Pseudonymization
2. Data Breach & Notification
3. Right To Be Forgotten
4. Right To Portability
5. Consent & Right To Withdraw
6. Notice
7. Profiling & User Behavior
8. Data Transfer
9. DPIA
10.Supply Chain Obligations
11.Liabilities
12.Transparency

Article/Provision
Detail the terms and requirements
for data protection in “legalese”
language that R&D will struggle to
translate to clear guidelines
Technical Requirements
What/How/Where: Detailed
requirements for R&D to follow in order
to comply with regulations
CCPA’s 21 Legal Provisions
99 GDPR Articles
~110 Technical
Requirements
Product-Focused Privacy
Product Privacy
Framework is built
together with the
organizations’ Privacy
Counsel!

Product Privacy Framework

Product Privacy Framework – Output to Customers

Benefits of Product Privacy Framework
 Clear requirements R&D can understand and implement
 Easy to create the product’s gap analysis
 Easy to create R&D implementation plan
 Measurable. KPIs shared with senior management:
 Ensures trust in our customers
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Product A
Product B
Product C
Product D
GDPR Technical Framework Maturity Level
3
2
1
2
3
2
Right to be forgotten
Portability
Notice
Liabilities
Trasparency
Secuirty
Product A – Maturity By Category
Desired Actual

Ogres have layers
Well.. so does privacy 
The cloud layer and the product layer

Questions please,
Thank You
Shlomi Ben-Hur March 2023

PAGE
A vulnerability discovered by
Pentera Labs research
XSS in Azure
Functions
Pentera Labs™ Series
Uriel Gabay
Senior Security Researcher
22/03/2023

PAGE
What if the cloud provider is vulnerable to XSS?
XSS is the ability to inject JavaScript code into another origin’s context.
Enables an attacker to:
• Read cookies*
• Read HTML objects
• Read browser storage/DB for this website
• Send request on-behalf of infected user
• Phishing
26
Pentera Labs™ Series

PAGE
Agenda
• Understanding the attack surface
• Browser security concepts explained
• Vulnerability walkthrough
• Mitigations
27
Pentera Labs™ Series

PAGE
Azure Functions - The attack surface
What is Azure Functions
Part of the Azure services, a FaaS (Function-as-a-Service)
28
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series

PAGE
Azure Functions - The attack surface
What is Azure Functions
Part of the Azure services, a FaaS (Function-as-a-Service)
Goal
Infrastructure for building event-driven applications
Popularity
“Azure is in the top 3 most popular cloud service providers with 21% market share”
According to Synergy research group
29
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series

PAGE
Browser security concepts explained
What is Origin?
Defined as: protocol://domain:port
Example:
http://google.com:80 != http://google.com:81
30
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series

PAGE
Browser security concepts explained
Sandboxing
Isolation of the data
related to one origin
from another.
31
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
ATTACKER.CO
M
BANK.COM
CLIENT
Bank.com’s Cookies

PAGE
Browser security concepts explained
32
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
ATTACKER.CO
M
BANK.COM
CLIENT
SOP (Same Origin Policy)
• A policy that forced by the browser.It prevents one
origin to send to another a request directly.
• This policy forced when the request is “unique”,
enabled by default.
1. Client interacts with back.com
2. Bank.com send to the client a request –
send a POST with JSON to api.bank.com
3. Client (browser) notice that bank.com isn’t
the same origin as api.bank.com
4. Client send a preflight request to api-bank.com
5. In the preflight the Client can understand if api-
bank.com allows a request from bank.com.
Preflight
example
script
API-BANK.COM

PAGE
Browser security concepts explained
33
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
ATTACKER.CO
M
BANK.COM
CLIENT
CORS (Cross-Origin Resource Sharing)
It’s the policy that defines which origins has the
permissions to send unique requests.
API-BANK.COM
Preflight example script
Access-Control-Allow-Origin: api-bank.com
Access-Control-Allow-Methods: POST, PUT, OPTIONS
Preflight example script
CORS policy

PAGE
XSS vulnerabilities explained
3 types of XSS vulnerabilities
34
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
PERSISTENCE DOM REFLECTED
01 02 03

PAGE
2
1
Reflected XSS example
35
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
SOMEWEBSITE.CO
M
CLIENT
Server-side code
3
Example of reflected XSS:

PAGE
Reflective XSS vulnerability in Azure Functions
Description
The reflected XSS vulnerability found in functions.azure.com enables an attacker to run
JavaScript code in the context of legit Azure website.
36
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series

PAGE
Reflective XSS vulnerability in Azure Functions
Vulnerability discovery process
37
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series

PAGE
Reflective XSS vulnerability in Azure Functions
Vulnerability discovery process
38
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series

PAGE
Reflective XSS vulnerability in Azure Functions
Vulnerability discovery process
39
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series

PAGE
Reflective XSS vulnerability in Azure Functions
Vulnerability discovery process
40
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
Found
suspicious
HTTP
request
A url parameter
returns from
server
Response content-type is
text/html (A prerequisite
for XSS)
XSS

PAGE
Research questions
Two limitations of a working XSS:
• SOP is enabled by defualt due to
application/json content type
• Redirect from “attacker’s origin” ’s context to
functions.azure.com origin
Solution
Change the request format to application/x-
www-form-urlencoded content-type
41
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series

PAGE
Vulnerability exploitation explained
End-to-end
exploitation flow
42
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series
1
CLIENT
2
4
3

PAGE
43
Vulnerability exploitation explained
Phishing example:

PAGE
Mitigations
Using network proxy or security browser addon:
1. Detect malicious content (JavaScript) been loaded
2. Detect communications to malicious domains
* This is very difficult to detect because its very hard to separate legit actions
from malicious actions
44
Understanding the
attack surface
Browser security
concepts explained
Vulnerability
walk-through
Mitigations
Pentera Labs™ Series

PAGE
Questions
45
Pentera Labs™ Series

PAGE
Check out our blog
for a more detailed explanation of the vulnerability
or sign up for the Pentera Labs Newsletter at:
pentera.io/pentera-labs
Contact us
• uriel.gabay@pentera.io
46

Thank You.
Questions?

Surviving Ransomware in the
Cloud

About Me
Name: Simon Bruno
Occupation: Cybersecurity Engineer at Deepblue

The Problem:
Ransomware

“Medibank also confirmed that the attackers even deleted some of this data”

“some of our core systems have been damaged beyond repair or have been permanently
deleted.”

“Showing they had access to [..] backup server that contains tens of terabytes”

“[The intruders] managed to also overwrite critical servers, data and
backups of that data.”

Imagine…
Est. 1954

One day…

Lockbit

In the News for the Wrong Reasons…

Attack Impact

Result

State Law
“Healthcare facilities must retain medical records for a minimum of
five years beyond the date the patient was last seen”
Oklahoma Dept. of Health Reg. Ch. 13, Section 13.13A

How to Survive
Ransomware?

Getting Started
1. Do we have backups?
2. Are they immutable?

Create Inventory
1. Interviews
2. Review documents
3. Review configurations

Interviews
Interview the following people to get a sense of what’s critical to the organization
1. Executives
2. Team leaders
3. Key persons
4. DevOps & IT

Review Documents
● Confluence, Notion, Sharepoint
● Google Drive, M365
● Jira, Monday, ServiceNow
● Search terms: backup, DR (Disaster Recovery), BIA (Business Impact Analysis), BCP
(Business Continuity Planning)

Review Configurations
● Backup systems
● Native backups: AWS/GCP/Azure

Now that we have
an inventory…

Prioritize

Remember when?

Increasing Backup Coverage
● Create backups for unprotected systems

Hardening
● Copy them off-site
● Restrict access
● Make them immutable

What to start with
Hardening Coverage

Secure Design
Considerations

● Completely separate from IT systems
○ Identities
○ Control
● New domain
● Limit access
Separate Backup Tenant - “Paranoid Mode”

Air Gapped Environment
Production Backup
Production Backup

Project Naming

Monitor Your Backups
● Heartbeat
● Storage sizes
● Access

Cost Optimization

“[They] wrote that no backup of these data exists due to lack of funds allocated by Russia’s
Ministry of Finance.”

Retention Policies
Sunday Monday Tuesday Wednesday Thursday Friday Saturday
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31
Daily → 7 day retention Weekly → 1 month retention Monthly - 3 month retention

Storage Selection
US (multi-region)
$0.026/GB/Month
$0.010/GB/Month
$0.007/GB/Month
$0.0024/GB/Month

Egress
● Keep backups within the same cloud provider
● Try to keep transfers within same region
○ EU to EU
○ US East to US East

Summary

Summary
● Effects of Ransomware
● How to start with a plan
● Design considerations
You can reach me at: simon@deepblue.is

Thank You!
Questions?

• Thank You!
• Questions?
• To be continued…
Join Us:
https://www.linkedin.com/company/ap
plication-security-virtual-meetups