From 18d1953edd0d933cd1ab32e8d9669414f21f490c Mon Sep 17 00:00:00 2001
From: Carlos Polop <carlospolop@gmail.com>
Date: Sat, 4 Jan 2025 01:32:19 +0100
Subject: [PATCH] app services

---
 src/SUMMARY.md                                |  2 +-
 .../{az-app-service.md => az-app-services.md} | 49 ++++++++++++-------
 2 files changed, 33 insertions(+), 18 deletions(-)
 rename src/pentesting-cloud/azure-security/az-services/{az-app-service.md => az-app-services.md} (81%)

diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index feae5163c..f14f299ff 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -408,7 +408,7 @@
     - [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md)
     - [Az - Automation Account](pentesting-cloud/azure-security/az-services/az-automation-account/README.md)
       - [Az - State Configuration RCE](pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md)
-    - [Az - Azure App Service & Function Apps](pentesting-cloud/azure-security/az-services/az-app-service.md)
+    - [Az - Azure App Services](pentesting-cloud/azure-security/az-services/az-app-services.md)
     - [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md)
     - [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md)
     - [Az - Function Apps](pentesting-cloud/azure-security/az-services/az-function-apps.md)
diff --git a/src/pentesting-cloud/azure-security/az-services/az-app-service.md b/src/pentesting-cloud/azure-security/az-services/az-app-services.md
similarity index 81%
rename from src/pentesting-cloud/azure-security/az-services/az-app-service.md
rename to src/pentesting-cloud/azure-security/az-services/az-app-services.md
index 13b315086..80eb7fe71 100644
--- a/src/pentesting-cloud/azure-security/az-services/az-app-service.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-app-services.md
@@ -6,10 +6,11 @@
 
 Azure App Services enables developers to **build, deploy, and scale web applications, mobile app backends, and APIs seamlessly**. It supports multiple programming languages and integrates with various Azure tools and services for enhanced functionality and management.
 
-Each app runs inside a sandbox but isolation depends upon App Service plans
+Each app runs inside a sandbox but isolation depends upon App Service plans:
 
-- Apps in Free and Shared tiers run on shared VMs
-- Apps in Standard and Premium tiers run on dedicated VMs
+- Apps in Free and Shared tiers run on **shared VMs**
+- Apps in Standard and Premium tiers run on **dedicated VMs shared only by apps** in the same App Service plan.
+- The Isolated tiers run on **dedicated VMs on dedicated virtual networks**, improving the isolation of the apps.
 
 > [!WARNING]
 > Note that **none** of those isolations **prevents** other common **web vulnerabilities** (such as file upload, or injections). And if a **management identity** is used, it could be able to **escalate privileges to them**.
@@ -23,35 +24,44 @@ Apps have some interesting configurations:
 - **Web App + Database**: The web console allows to create an App with a database. In this case it's possible to select the database to use (SQLAzure, PostgreSQL, MySQL, MongoDB) and it also allows you to create an Azure Cache for Redis.
   - The URL containing the credentials for the database and Redis will be stored in the **appsettings**.
 - **Container**: It's possible to deploy a container to the App Service by indicating the URL of the container and the credentials to access it.
+- **Mounts**: It's possible to create 5 mounts from Storage accounts being these Azure Blob (Read-Only) or Azure Files. The configuration will store the access key over the Storage Account.
+
 
 ## Basic Authentication
 
-When creating a web app (and a Azure function usually) it's possible to indicate if you want Basic Authentication to be enabled. This basically **enables SCM and FTP** for the application so it'll be possible to deploy the application using those technologies.\
-Moreover in order to connect to them, Azure provides an **API that allows to get the username, password and URL** to connect to the SCM and FTP servers.
+When creating a web app (and a Azure function usually) it's possible to indicate if you want **Basic Authentication to be enabled** (disabled by default). This basically **enables SCM (Source Control Manager) and FTP (File Transfer Protocol)** for the application so it'll be possible to deploy the application using those technologies.
 
+In order to access the SCM and the FTP servers, a **username and password** is required. Therefore, Azure provides some **APIs to get the URLs** to these platforms and the credentials.
+
+The **FTP server doesn’t have any special magic**, just with the valid URL, username and password it’s possible to connect and get read and write permissions over the App environment.
+
+The SCM
 It's possible to connect to the SCM using a web browser in `https://<SMC-URL>/BasicAuth` and check all files and deployments in there.
 
 ### Kudu
 
-Kudu is a **deployment engine and management platform for Azure App Service and Function Apps**, providing Git-based deployments, remote debugging, and file management capabilities for web applications. It's accessible through the SCM URL of the web app.
+Kudu is the platform that **manages both the SCM and a web and API interface** to manage an App Service, and provides Git-based deployments, remote debugging, and file management capabilities. It's accessible through the SCM URL of defined in the web app.
 
 Note that the Kudu versions used by App Services and by Function Apps are different, being the version of the Function apps much more limited.
 
 Some interesting endpoints you can find in Kudu are:
+- `/BasicAuth`: You need to access this path to **login inside Kudu**.
 - `/DebugConsole`: A console that allows you to execute commands in the environment where Kudu is running.
   - Note that this environment **doesn't have access** to the metadata service to get tokens.
 - `/webssh/host`: A web-based SSH client that allows you to connect inside the container where the app is running.
   - This environment **has access to the metadata service** in order to obtain tokens from the assigned managed identities.
 - `/Env`: Get information about the system, app settings, env variables, connection strings and HTTP headers.
-- `/wwwroot/`: The root directory of the web app. You can dowload all the files from here.
+- `/wwwroot/`: The root directory of the web app. You can download all the files from here.
+
+Moreover, Kudu used to by opensource in [https://github.com/projectkudu/kudu](https://github.com/projectkudu/kudu) but the project was deprecated and comparing the behavior of the current Kudu in Azure with the old one it's possible to see that **several things have already changed**.
 
 ## Sources
 
-App Services allow to upload the code as a zip file by default, but it also allows to connect to a third party servie and get the code from there.
+App Services allow to upload the code as a zip file by default, but it also allows to connect to a third party service and get the code from there.
 
 - The currently supported third party sources are **Github** and **Bitbucket**.
   - You can get the authentication tokens running `az rest --url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"`
-  - Azure by default will setuup a **Github Action** to deploy the code to the App Service every time the code is updated.
+  - Azure by default will setup a **Github Action** to deploy the code to the App Service every time the code is updated.
 - It's also possible to indicate a **remote git repository** (with username and password) to get the code from there.
   - You can get the credentials to the remote repo running `az webapp deployment source show --name <app-name> --resource-group <res-group>` or `az rest --method POST --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/metadata/list?api-version=2022-03-01" --resource "https://management.azure.com"`
 - It's also possible to use an **Azure Repository**.
@@ -71,20 +81,19 @@ Webjobs are very interesting from an attackers perspective as they could be used
 
 Moreover, it's always interesting to check the **logs** generated by the Webjobs as they could contain **sensitive information**.
 
-### Slots
+## Slots
 
 Azure App Service Slots are used to **deploy different versions of the application** to the same App Service. This allows developers to test new features or changes in a separate environment before deploying them to the production environment.
 
-Moreover, it's possible to route a **percentage of the traffic** to a specific slot, which is useful for **A/B testing**, and for backdoor purposes.
+Moreover, it's possible to route a **percentage of the traffic** to a specific slot, which is useful for A/B testing, and for **backdoor purposes**.
 
-### Azure Function Apps
+## Azure Function Apps
 
-Basically **Azure Function apps are a subset of Azure App Service** in the web and if you go to the web console and list all the app services or execute `az webapp list` in az cli you will be able to **see the Function apps also listed here**.
+Basically **Azure Function apps are a subset of Azure App Service** in the web console and if you go to the web console and list all the app services or execute `az webapp list` in az cli you will be able to **see the Function apps also listed in there**.
 
-Actually some of the **security related features** App services use (`webapp` in the az cli), are **also used by Function apps**.
+Therefore, both services actually have mostly the **same configurations, features and options in the az cli**, although they might configure them a bit differently (like default values of appsettings or the use of an Storage Account in the Function apps).
 
-
-### Enumeration
+## Enumeration
 
 {{#tabs }}
 {{#tab name="az" }}
@@ -144,7 +153,7 @@ az webapp traffic-routing show --name <AppName> --resource-group <ResourceGroupN
 # Get used container by the app
 az webapp config container show --name <name> --resource-group <res-group>
 
-# Get storage account configurations of a webapp
+# Get storage account configurations of a webapp (contains access key)
 az webapp config storage-account list --name <name> --resource-group <res-group>
 
 # Get configured container (if any) in the webapp, it could contain credentials
@@ -275,10 +284,16 @@ Like in the previous case, logging into the SCM portal or logging via FTP it's p
 > [!TIP]
 > Just connecting via FTP and modifying the file `output.tar.gz` and retriggering a deployment isn't enough to change the code executed by the webapp.
 
+## Privilege Escalation
+
+{{#ref}}
+../az-privilege-escalation/az-app-services-privesc.md
+{{#endref}}
 
 ## References
 
 - [https://learn.microsoft.com/en-in/azure/app-service/overview](https://learn.microsoft.com/en-in/azure/app-service/overview)
+- [https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans)
 
 {{#include ../../../banners/hacktricks-training.md}}