From 4e491e3f555f47f0c3e5bb6374ede8eef36a502a Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Tue, 11 Feb 2025 00:28:34 +0100 Subject: [PATCH] fixes --- .../azure-security/az-basic-information/README.md | 4 ++-- .../az-oauth-apps-phishing.md | 9 ++++++++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/pentesting-cloud/azure-security/az-basic-information/README.md b/src/pentesting-cloud/azure-security/az-basic-information/README.md index e426edd65..d387e2510 100644 --- a/src/pentesting-cloud/azure-security/az-basic-information/README.md +++ b/src/pentesting-cloud/azure-security/az-basic-information/README.md @@ -161,8 +161,8 @@ An **App Registration** is a configuration that allows an application to integra - **Do not allow user consent** - An administrator will be required for all apps. -- **Allow user consent for apps from verified publishers, for selected permissions (Recommended)** - - All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization. +- **Allow user consent for apps from verified publishers, internal apps, and apps requesting only selected permissions (Recommended)** + - All users can consent apps requesting only permissions classified as "low impact", apps from verified publishers and apps registered in the tenant. - **Default** low impact permissions (although you need to accept to add them as low): - User.Read - sign in and read user profile - offline_access - maintain access to data that users have given it access to diff --git a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md index 371f4f291..f0bd65c4e 100644 --- a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md +++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md @@ -133,7 +133,14 @@ curl -X GET \ ### Phishing Post-Exploitation -Depending on the requested permissions you might be able to **access different data of the tenant** (list users, groups... or even modify settings) and **information of the user** (files, notes, emails...). Then, you can use this permissions to perform those actions. +Depending on the requested permissions you might be able to **access different data of the tenant** (list users, groups... or even modify settings) and **information of the user** (files, notes, emails...). Then, you can use these permissions to perform those actions. + +### Entra ID Applications Admin + +If you managed to compromise somehow an Entra ID principal that can manage Applications in Entra ID, and there are applications that are being used by users of the tenant. An admin would be able to **modify the permissions the app is requesting and add a new allowed redirect address to steal the tokens**. +- Note that it’s possible to **add redirect URIs** (no need to delete the real one) and then send a HTTP link using the attackers redirect URI so when the user follows the link the authentication occurs automatically and the attacker receives the token. +- It’s also possible to change the permissions the app asks for in order to get more permission from the users, but in that case the user will need to **accept again the prompt** (even if he was already logged in). +- To perform this attack the attacker **DOESN'T NEED** to control the application code as he could just send the link to login in the app to the user with the new URL in the **`redirect_uri`** parameter. ### Application Post Exploitation