gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-05 09:17:24 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/aws-security/aws-privilege-escalation/

Browse Source
This commit is contained in:
Translator
2025-01-05 22:57:50 +00:00
parent 2eeaf2b36c
commit 14ef0d8f5f
5 changed files with 301 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md Normal file
View File

@@ -0,0 +1,109 @@
# Az - Statiese Web Apps
{{#include ../../../banners/hacktricks-training.md}}
## Statiese Web Apps Basiese Inligting
Azure Static Web Apps is 'n wolkdienste vir die aanbied van **statiese web apps met outomatiese CI/CD vanaf repositories soos GitHub**. Dit bied globale inhoudsaflewering, serverless agtergronde, en ingeboude HTTPS, wat dit veilig en skaalbaar maak. egter, risiko's sluit verkeerd geconfigureerde CORS, onvoldoende verifikasie, en inhoudsmanipulasie in, wat apps aan aanvalle soos XSS en datalekke kan blootstel as dit nie behoorlik bestuur word nie.
> [!TIP]
> Wanneer 'n Statiese App geskep word, kan jy die **ontplooiing outorisering beleid** tussen **Ontplooiingstoken** en **GitHub Actions werksvloei** kies.
### Web App Verifikasie
Dit is moontlik om 'n **wagwoord te konfigureer** om toegang tot die Web App te verkry. Die webkonsol laat jou toe om dit te konfigureer om slegs staging omgewings of beide staging en die produksie omgewing te beskerm.
So lyk 'n wagwoord beskermde web app op die tyd van skryf:
<figure><img src="../../../images/azure_static_password.png" alt=""><figcaption></figcaption></figure>
Dit is moontlik om te sien **of enige wagwoord gebruik word** en watter omgewings beskerm word met:
```bash
az rest --method GET \
--url "/subscriptions/<subscription-id>/resourceGroups/Resource_Group_1/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2024-04-01"
```
However, this **won't show the password in clear text**, just something like: `"password": "**********************"`.
### Routes
Routes definieer **hoe inkomende HTTP versoeke hanteer word** binne 'n statiese webtoepassing. Geconfigureer in die **`staticwebapp.config.json`** lêer, beheer hulle URL herskrywing, herleidings, toegangbeperkings, en rolgebaseerde outorisering, wat behoorlike hulpbronhantering en sekuriteit verseker.
Some example:
```json
{
"routes": [
{
"route": "/",
"rewrite": "/index.html"
},
{
"route": "/about",
"rewrite": "/about.html"
},
{
"route": "/api/*",
"allowedRoles": ["authenticated"]
},
{
"route": "/admin",
"redirect": "/login",
"statusCode": 302
}
],
"navigationFallback": {
"rewrite": "/index.html",
"exclude": ["/api/*", "/assets/*"]
}
}
```
## Opname
```bash
# List Static Webapps
az staticwebapp list --output table
# Get Static Webapp details
az staticwebapp show --name <name> --resource-group <res-group> --output table
# Get appsettings
az staticwebapp appsettings list --name <name>
# Get env information
az staticwebapp environment list --name <name>
az staticwebapp environment functions --name <name>
# Get API key
az staticwebapp secrets list --name <name>
# Get invited users
az staticwebapp users list --name <name>
# Get database connections
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections?api-version=2021-03-01"
## Once you have the database connection name ("default" by default) you can get the connection string with the credentials
az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections/default/show?api-version=2021-03-01"
```
## Voorbeelde om Web Apps te genereer
Jy kan 'n mooi voorbeeld vind om 'n web app te genereer in die volgende skakel: [https://learn.microsoft.com/en-us/azure/static-web-apps/get-started-portal?tabs=react&pivots=github](https://learn.microsoft.com/en-us/azure/static-web-apps/get-started-portal?tabs=react&pivots=github)
1. Fork die repository https://github.com/staticwebdev/react-basic/generate na jou GitHub-rekening en noem dit `my-first-static-web-app`
2. Skep 'n Static Web App in die Azure-portaal deur die Github-toegang te konfigureer en die voorheen geforkte nuwe repository te kies
3. Skep dit, en wag 'n paar minute, en kyk na jou nuwe bladsy!
## Post Exploitation
{{#ref}}
../az-privilege-escalation/az-static-web-apps-post-exploitation.md
{{#endref}}
## Verwysings
- [https://learn.microsoft.com/en-in/azure/app-service/overview](https://learn.microsoft.com/en-in/azure/app-service/overview)
- [https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans)
{{#include ../../../banners/hacktricks-training.md}}