gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-27 21:23:07 -08:00
Code Issues Packages Projects Releases Wiki Activity

fixes

Browse Source
This commit is contained in:
Carlos Polop
2025-02-11 00:28:34 +01:00
parent d13ebeaeb5
commit 4e491e3f55
2 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/pentesting-cloud/azure-security/az-basic-information/README.md
View File

@@ -161,8 +161,8 @@ An **App Registration** is a configuration that allows an application to integra
- **Do not allow user consent**
- An administrator will be required for all apps.
- **Allow user consent for apps from verified publishers, for selected permissions (Recommended)**
- All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.
- **Allow user consent for apps from verified publishers, internal apps, and apps requesting only selected permissions (Recommended)**
- All users can consent apps requesting only permissions classified as "low impact", apps from verified publishers and apps registered in the tenant.
- **Default** low impact permissions (although you need to accept to add them as low):
- User.Read - sign in and read user profile
- offline_access - maintain access to data that users have given it access to

9
src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md
View File

@@ -133,7 +133,14 @@ curl -X GET \
### Phishing Post-Exploitation
Depending on the requested permissions you might be able to **access different data of the tenant** (list users, groups... or even modify settings) and **information of the user** (files, notes, emails...). Then, you can use this permissions to perform those actions.
Depending on the requested permissions you might be able to **access different data of the tenant** (list users, groups... or even modify settings) and **information of the user** (files, notes, emails...). Then, you can use these permissions to perform those actions.
### Entra ID Applications Admin
If you managed to compromise somehow an Entra ID principal that can manage Applications in Entra ID, and there are applications that are being used by users of the tenant. An admin would be able to **modify the permissions the app is requesting and add a new allowed redirect address to steal the tokens**.
- Note that its possible to **add redirect URIs** (no need to delete the real one) and then send a HTTP link using the attackers redirect URI so when the user follows the link the authentication occurs automatically and the attacker receives the token.
- Its also possible to change the permissions the app asks for in order to get more permission from the users, but in that case the user will need to **accept again the prompt** (even if he was already logged in).
- To perform this attack the attacker **DOESN'T NEED** to control the application code as he could just send the link to login in the app to the user with the new URL in the **`redirect_uri`** parameter.
### Application Post Exploitation