gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-27 21:23:07 -08:00
Code Issues Packages Projects Releases Wiki Activity

improvements

Browse Source
This commit is contained in:
Carlos Polop
2025-01-25 15:33:23 +01:00
parent 8f6514eed9
commit 416e7cf699
5 changed files with 211 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
View File

@@ -146,6 +146,19 @@ new_azure_cli_bearer_tokens_for_graph_api = (
pprint(new_azure_cli_bearer_tokens_for_graph_api)
```
### Other access token fields
- **appid**: Application ID used to generate the token
- **appidacr**: The Application Authentication Context Class Reference indicates how the client was authenticated, for a public client the value is 0, and if a client secret is used the value is 1
- **acr**: The Authentication Context Class Reference claim is "0" when the end-user authentication did not meet the requirements of ISO/IEC 29115.
- **amr**: The Authentication method indicates how the token was authenticated. A value of “pwd” indicates that a password was used.
- **groups**: Indicates the groups where the principal is a member.
- **iss**: The issues identifies the security token service (STS) that generated the token. e.g. https://sts.windows.net/fdd066e1-ee37-49bc-b08f-d0e152119b04/ (the uuid is the tenant ID)
- **oid**: The object ID of the principal
- **tid**: Tenant ID
- **iat, nbf, exp**: Issued at (when it was issued), Not before (cannot be used before this time, usually same value as iat), Expiration time.
## FOCI Tokens Privilege Escalation
Previously it was mentioned that refresh tokens should be tied to the **scopes** it was generated with, to the **application** and **tenant** it was generated to. If any of these boundaries is broken, it's possible to escalate privileges as it will be possible to generate access tokens to other resources and tenants the user has access to and with more scopes than it was originally intended.
@@ -198,6 +211,7 @@ pprint(microsoft_office_bearer_tokens_for_graph_api)
## References
- [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research)
- [https://github.com/Huachao/azure-content/blob/master/articles/active-directory/active-directory-token-and-claims.md](https://github.com/Huachao/azure-content/blob/master/articles/active-directory/active-directory-token-and-claims.md)
{{#include ../../../banners/hacktricks-training.md}}