Exploring Azure Logic Apps and Turning Misconfigurations into Attack Opportunities
Chirag Savla, Raunak Parmar
NorthSec 2025 · Day 2 · Salle de bal
Chirag Savla and Raunak Parmar of White Knight Labs methodically map the attack surface of Azure Logic Apps — Microsoft's low-code workflow automation service — demonstrating how Logic App Contributor permissions, exposed webhook URLs, misused managed identities, storage account misconfigurations, hardcoded credentials in assemblies, and inline code execution combine to create a path from initial access to cloud-wide compromise and cloud-to-on-premises lateral movement. ---
AI review
White Knight Labs offensive engineers systematically map the Azure Logic Apps attack surface: Contributor role enables managed identity token theft and API connection hijacking, Standard plan auto-provisions a storage account that exposes all workflow definitions and decompilable .NET assemblies, inline code execution adds arbitrary code run capability, and a real engagement achieved full Azure and on-premises compromise via a hardcoded service principal with accumulated RBAC drift.