gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-31 23:15:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

add

Browse Source
This commit is contained in:
Carlos Polop
2025-03-28 11:45:16 +01:00
parent 413635f6ed
commit 8be8f721ca
3 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/pentesting-cloud/workspace-security/README.md
View File

@@ -50,6 +50,18 @@ If you have compromised some credentials or the session of the user check these
gws-persistence.md
{{#endref}}
## Context-Aware Access
- **Context-Aware Access**: This is a security feature that allows organizations to enforce access policies based on the context of the user, device, and location. It enables granular control over who can access specific application within Google Workspace, enhancing security by ensuring that only trusted users and devices can access sensitive data.
It requires specific **licenses to be able to use it.**
This service basically allows you to create **Context-Aware access levels** which allow to configure different conditions that must be met. Access-level conditions contain attributes you can select, such as device policy, IP subnet, or another access level.
Then, it's possible to **assign these access levels to apps**. It's possible to assign more than one access level to an app, and the user must meet all the conditions of all the access levels assigned to that app.
## Account Compromised Recovery
- Log out of all sessions

8
src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md
View File

@@ -157,6 +157,14 @@ It's possible to do something using gcloud instead of the web console, check:
../../gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md
{{#endref}}
#### OAuth app protections
By default it's configured that any user inside a Workspace organization **can accecpt any OAuth app with any permissions**, but it's possible to restrict those to only apps that only request basic info needed for Sign in with Google or to not allow any third-party apps.
Moreover, even not alowing to trust external third-party apps it's possible to allow to **trust any internal apps** (apps created inside the organization). This trust is configured by **default**.
<figure><img src="../../../images/workspace_oauth.png" alt=""><figcaption></figcaption></figure>
## References
- [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic