From 470a130c16b16f13a72a94edfc6827b9ce00b224 Mon Sep 17 00:00:00 2001 From: Jacob H <99051071+Jacob-Ham@users.noreply.github.com> Date: Tue, 13 Jan 2026 12:29:34 -0600 Subject: [PATCH] Added AzCLI command for retrieving static web app secrets --- .../az-static-web-apps-privesc.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md index a6a056ed8..847a15fea 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md @@ -144,12 +144,19 @@ az rest --method put \ ### Microsoft.Web/staticSites/listSecrets/action -This permission allows to get the **API key deployment token** for the static app: +This permission allows to get the **API key deployment token** for the static app. + +Using az rest: ```bash az rest --method POST \ --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//listSecrets?api-version=2023-01-01" ``` +Using AzCLI: + +```bash +az staticwebapp secrets list --name --resource-group +``` Then, in order to **update an app using the token** you could run the following command. Note that this command was extracted checking **how to Github Action [https://github.com/Azure/static-web-apps-deploy](https://github.com/Azure/static-web-apps-deploy) works**, as it's the one Azure set by default ot use. So the image and paarements could change in the future.