gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-04-28 12:03:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Update az-front-door.md

Browse Source
This commit is contained in:
SirBroccoli
2025-10-23 14:05:23 +02:00
committed by GitHub
parent 123b37d1f3
commit 45b2e5e0a8
1 changed files with 1 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/pentesting-cloud/azure-security/az-services/az-front-door.md
View File

@@ -10,8 +10,6 @@ To bypass this rule automated tools can be used that **brute-force IP addresses*
This is mentioned in the [Microsoft documentation](https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-configure-ip-restriction). This is mentioned in the [Microsoft documentation](https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-configure-ip-restriction).
---
## Credential Skimming via WAF Custom Rules + Log Analytics ## Credential Skimming via WAF Custom Rules + Log Analytics
Abuse Azure Front Door (AFD) WAF Custom Rules in combination with Log Analytics to capture cleartext credentials (or other secrets) traversing the WAF. This is not a CVE; its misuse of legitimate features by anyone who can modify the WAF policy and read its logs. Abuse Azure Front Door (AFD) WAF Custom Rules in combination with Log Analytics to capture cleartext credentials (or other secrets) traversing the WAF. This is not a CVE; its misuse of legitimate features by anyone who can modify the WAF policy and read its logs.
@@ -80,13 +78,10 @@ The matched values appear in details_matches_s and include the cleartext values
- An existing Azure Front Door instance. - An existing Azure Front Door instance.
- Permissions to edit the AFD WAF policy and read the associated Log Analytics workspace. - Permissions to edit the AFD WAF policy and read the associated Log Analytics workspace.
### Impact
- High risk: An operator with WAF/Log access can silently harvest secrets at the trusted TLS termination point.
## References ## References
- [https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass](https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass) - [https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass](https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass)
- [Skimming Credentials with Azure's Front Door WAF](https://trustedsec.com/blog/skimming-credentials-with-azures-front-door-waf) - [Skimming Credentials with Azure's Front Door WAF](https://trustedsec.com/blog/skimming-credentials-with-azures-front-door-waf)
- [Azure WAF on Front Door monitoring and logging](https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-monitor) - [Azure WAF on Front Door monitoring and logging](https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-monitor)
{{#include ../../../banners/hacktricks-training.md}} {{#include ../../../banners/hacktricks-training.md}}