diff --git a/src/pentesting-cloud/azure-security/az-services/az-storage.md b/src/pentesting-cloud/azure-security/az-services/az-storage.md
index 42b9be4ce..71010057e 100644
--- a/src/pentesting-cloud/azure-security/az-services/az-storage.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-storage.md
@@ -65,6 +65,30 @@ If "Allow Blob public access" is **enabled** (disabled by default), when creatin
 
 <figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfoetUnYBPWQpRrWNnnlbqWpl8Rdoaeg5uBrCVlvcNDlnKwQHjZe8nUb2SfPspBgbu-lCZLmUei-hFi_Jl2eKbaxUtBGTjdUSDmkrcwr90VZkmuMjk9tyh92p75btfyzGiUTa0-=s2048?key=m8TV59TrCFPlkiNnmhYx3aZt" alt=""><figcaption></figcaption></figure>
 
+### Static website (`$web`) exposure & leaked secrets
+
+- **Static websites** are served from the special `$web` container over a region-specific endpoint such as `https://<account>.z13.web.core.windows.net/`.
+- The `$web` container may report `publicAccess: null` via the blob API, but files are still reachable through the static site endpoint, so dropping config/IaC artifacts there can leak secrets.
+- Quick audit workflow:
+
+```bash
+# Identify storage accounts with static website hosting enabled
+az storage blob service-properties show --account-name <acc-name> --auth-mode login
+# Enumerate containers (including $web) and their public flags
+az storage container list --account-name <acc-name> --auth-mode login
+# List files served by the static site even when publicAccess is null
+az storage blob list --container-name '$web' --account-name <acc-name> --auth-mode login
+# Pull suspicious files directly (e.g., IaC tfvars containing secrets/SAS)
+az storage blob download -c '$web' --name iac/terraform.tfvars --file /dev/stdout --account-name <acc-name> --auth-mode login
+```
+
+- Inspect downloaded files for leaked **SAS tokens** or credentials. SAS params show scope and risk: `sv` (API version), `ss` (services like blob `b`), `srt` (resource types `s`/`c`/`o`), `sp` (permissions such as `r`/`l`/`a`/`c`/`w`/`d`/`x`), `se` (expiry), and `sig` (signature). A wide `sp` set plus far-future `se` indicates a long-lived bearer credential that enables read/list/write/delete until revoked.
+- Abuse a recovered SAS immediately, for example:
+
+```bash
+az storage blob list --account-name <acc-name> --container-name <target-container> --sas-token "<sv=...&ss=...&srt=...&sp=...&se=...&sig=...>"
+```
+
 ### Connect to Storage
 
 If you find any **storage** you can connect to you could use the tool [**Microsoft Azure Storage Explorer**](https://azure.microsoft.com/es-es/products/storage/storage-explorer/) to do so.
@@ -433,6 +457,7 @@ az-file-shares.md
 - [https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
 - [https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview](https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview)
 - [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support)
+- [Holiday Hack Challenge 2025 – Spare Key (Azure static website SAS leak)](https://0xdf.gitlab.io/holidayhack2025/act1/spare-key)
 
 {{#include ../../../banners/hacktricks-training.md}}