From 77da1e58ca7d20d91343b5b3fdfc1144b1795a36 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Sat, 22 Feb 2025 17:12:53 +0100 Subject: [PATCH] static web apps --- .../az-container-registry-privesc.md | 2 +- .../az-servicebus-privesc.md | 8 ++--- .../az-static-web-apps-privesc.md | 2 +- .../az-services/az-function-apps.md | 2 +- .../az-services/az-logic-apps.md | 2 +- .../az-services/az-servicebus.md | 2 +- .../az-services/az-static-web-apps.md | 29 +++++++++++-------- 7 files changed, 26 insertions(+), 21 deletions(-) diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md index 1aa68d8cc..8cccb5a8c 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md @@ -44,7 +44,7 @@ az acr token create \ These permissions allow the user to **build and run an image** in the registry. This can be used to **execute code** in the container. ->[!WARNING] +> [!WARNING] > However, the image will be executed in a **sandboxed environment** and **without access to the metadata service**. This means that the container will not have access to the **instance metadata** so this isn't really useful to escalate privileges ```bash diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md index bf730aaff..747d5ef88 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md @@ -32,8 +32,8 @@ With this permission it's possible to **create a new authorization rule** with a az servicebus namespace authorization-rule create --authorization-rule-name "myRule" --namespace-name mynamespacespdemo --resource-group Resource_Group_1 --rights Manage Listen Send ``` ->[!WARNING] ->This command doesn't respond with the keys, so you need to get them with the previous commands (and permissions) in order to escalate privileges. +> [!WARNING] +> This command doesn't respond with the keys, so you need to get them with the previous commands (and permissions) in order to escalate privileges. Moreover, with that command (and `Microsoft.ServiceBus/namespaces/authorizationRules/read`) if you perform this action through the Azure CLI, it's possible to update an existing authorization rule and give it more permissions (in case it was lacking some) with the following command: @@ -75,8 +75,8 @@ az servicebus topic authorization-rule create --resource-group --nam az servicebus queue authorization-rule create --resource-group --namespace-name --queue-name --name --rights Manage Listen Send ``` ->[!WARNING] ->This command doesn't respond with the keys, so you need to get them with the previous commands (and permissions) in order to escalate privileges. +> [!WARNING] +> This command doesn't respond with the keys, so you need to get them with the previous commands (and permissions) in order to escalate privileges. Moreover, with that command (and `Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/read`) if you perform this action through the Azure CLI, it's possible to update an existing authorization rule and give it more permissions (in case it was lacking some) with the following command: diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md index 799219ed9..920bb0824 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md @@ -159,7 +159,7 @@ Then, in order to **update an app using the token** you could run the following docker run --rm -v $(pwd):/mnt mcr.microsoft.com/appsvc/staticappsclient:stable INPUT_AZURE_STATIC_WEB_APPS_API_TOKEN= INPUT_APP_LOCATION="/mnt" INPUT_API_LOCATION="" INPUT_OUTPUT_LOCATION="build" /bin/staticsites/StaticSitesClient upload --verbose ``` ->[!WARNING] +> [!WARNING] > Even if you have the token you won't be able to deploy the app if the **Deployment Authorization Policy** is set to **Github**. For using the token you will need the permission `Microsoft.Web/staticSites/write` to change the deployment method to use th APi token. ### Microsoft.Web/staticSites/write diff --git a/src/pentesting-cloud/azure-security/az-services/az-function-apps.md b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md index fe7bf8132..d8b3c2fea 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-function-apps.md +++ b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md @@ -258,7 +258,7 @@ az rest --url "https://management.azure.com//resourceGroups/ --names {{#endtab }} {{#tab name="Az Powershell" }} -```powershell +```bash Get-Command -Module Az.ServiceBus # Retrieves details of a Service Bus namespace, including V2-specific features like additional metrics or configurations. diff --git a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md index 60b6d6e32..39e6a9e41 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md +++ b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md @@ -35,7 +35,7 @@ az rest --method GET \ However, this **won't show the password in clear text**, just something like: `"password": "**********************"`. -### Routes & Roles +### Routes and Roles Routes define **how incoming HTTP requests are handled** within a static web app. Configured in the **`staticwebapp.config.json`** file, they control URL rewriting, redirections, access restrictions, and role-based authorization, ensuring proper resource handling and security. @@ -60,6 +60,11 @@ Some example: "route": "/admin", "redirect": "/login", "statusCode": 302 + }, + { + "route": "/google", + "redirect": "https://google.com", + "statusCode": 307 } ], "navigationFallback": { @@ -76,6 +81,10 @@ Note how it's possible to **protect a path with a role**, then, users will need The staging URL has this format: `https://-..` like: `https://ambitious-plant-0f764e00f-2.eastus2.4.azurestaticapps.net` +### Snippets + +It's possible to store HTML snippets inside a static web app that will be loaded inside the app. This can be used to **inject malicious code** into the app, like a **JS code to steal credentials**, a **keylogger**... More info in the privleges escalation section. + ### Managed Identities Azure Static Web Apps can be configured to use **managed identities**, however, as mentioned in [this FAQ](https://learn.microsoft.com/en-gb/azure/static-web-apps/faq#does-static-web-apps-support-managed-identity-) they are only supported to **extract secrets from Azure Key Vault for authentication purposes, not to access other Azure resources**. @@ -84,9 +93,8 @@ For more info you can find an Azure guide use a vault secret in a static app in ## Enumeration -{% tabs %} -{% tab title="az cli" %} -{% code overflow="wrap" %} +{{#tabs }} +{{#tab name="az cli" }} ```bash # List Static Webapps az staticwebapp list --output table @@ -118,12 +126,10 @@ az rest --method POST \ # Check connected backends az staticwebapp backends show --name --resource-group ``` -{% endcode %} -{% endtab %} +{{#endtab }} -{% tab title="Az PowerShell" %} -{% code overflow="wrap" %} -```powershell +{{#tab name="Az Powershell" }} +```bash Get-Command -Module Az.Websites # Retrieves details of a specific Static Web App in the specified resource group. @@ -166,9 +172,8 @@ Get-AzStaticWebAppUser -ResourceGroupName -Name -Auth Get-AzStaticWebAppUserProvidedFunctionApp -ResourceGroupName -Name ``` -{% endcode %} -{% endtab %} -{% endtabs %} +{{#endtab }} +{{#endtabs }} ## Examples to generate Web Apps