static web apps

2025-12-31 15:05:44 -08:00 · 2025-02-22 17:12:53 +01:00
parent 7336c976ae
commit 77da1e58ca
7 changed files with 26 additions and 21 deletions
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md
@@ -44,7 +44,7 @@ az acr token create \

 These permissions allow the user to **build and run an image** in the registry. This can be used to **execute code** in the container.

->[!WARNING]
+> [!WARNING]
 > However, the image will be executed in a **sandboxed environment** and **without access to the metadata service**. This means that the container will not have access to the **instance metadata** so this isn't really useful to escalate privileges

 ```bash
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md
@@ -32,8 +32,8 @@ With this permission it's possible to **create a new authorization rule** with a
 az servicebus namespace authorization-rule create --authorization-rule-name "myRule" --namespace-name mynamespacespdemo --resource-group Resource_Group_1 --rights Manage Listen Send
 ```

->[!WARNING]
->This command doesn't respond with the keys, so you need to get them with the previous commands (and permissions) in order to escalate privileges.
+> [!WARNING]
+> This command doesn't respond with the keys, so you need to get them with the previous commands (and permissions) in order to escalate privileges.

 Moreover, with that command (and `Microsoft.ServiceBus/namespaces/authorizationRules/read`) if you perform this action through the Azure CLI, it's possible to update an existing authorization rule and give it more permissions (in case it was lacking some) with the following command:

@@ -75,8 +75,8 @@ az servicebus topic authorization-rule create --resource-group <res-group> --nam
 az servicebus queue authorization-rule create --resource-group <res-group> --namespace-name <namespace-name> --queue-name <queue-name> --name <auth-rule-name> --rights Manage Listen Send
 ```

->[!WARNING]
->This command doesn't respond with the keys, so you need to get them with the previous commands (and permissions) in order to escalate privileges.
+> [!WARNING]
+> This command doesn't respond with the keys, so you need to get them with the previous commands (and permissions) in order to escalate privileges.

 Moreover, with that command (and `Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/read`) if you perform this action through the Azure CLI, it's possible to update an existing authorization rule and give it more permissions (in case it was lacking some) with the following command:

--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md
@@ -159,7 +159,7 @@ Then, in order to **update an app using the token** you could run the following
 docker run --rm -v $(pwd):/mnt mcr.microsoft.com/appsvc/staticappsclient:stable INPUT_AZURE_STATIC_WEB_APPS_API_TOKEN=<api-token> INPUT_APP_LOCATION="/mnt" INPUT_API_LOCATION="" INPUT_OUTPUT_LOCATION="build" /bin/staticsites/StaticSitesClient upload --verbose
 ```

->[!WARNING]
+> [!WARNING]
 > Even if you have the token you won't be able to deploy the app if the **Deployment Authorization Policy** is set to **Github**. For using the token you will need the permission `Microsoft.Web/staticSites/write` to change the deployment method to use th APi token.

 ### Microsoft.Web/staticSites/write
--- a/src/pentesting-cloud/azure-security/az-services/az-function-apps.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md
@@ -258,7 +258,7 @@ az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-g
 {{#endtab }}

 {{#tab name="Az Powershell" }}
-```powershell
+```bash
 Get-Command -Module Az.Functions

 # Lists all Function Apps in the current subscription or in a specific resource group.
--- a/src/pentesting-cloud/azure-security/az-services/az-logic-apps.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-logic-apps.md
@@ -229,7 +229,7 @@ az logic integration-account assembly show \
 {{#endtab }}

 {{#tab name="Az Powershell" }}
-```powershell
+```bash
 Get-Command -Module Az.LogicApp

 # Retrieve details of an integration account
--- a/src/pentesting-cloud/azure-security/az-services/az-servicebus.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-servicebus.md
@@ -100,7 +100,7 @@ az servicebus topic subscription show --resource-group <MyResourceGroup> --names
 {{#endtab }}

 {{#tab name="Az Powershell" }}
-```powershell
+```bash
 Get-Command -Module Az.ServiceBus

 # Retrieves details of a Service Bus namespace, including V2-specific features like additional metrics or configurations.
--- a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md
@@ -35,7 +35,7 @@ az rest --method GET \

 However, this **won't show the password in clear text**, just something like: `"password": "**********************"`.

-### Routes & Roles
+### Routes and Roles

 Routes define **how incoming HTTP requests are handled** within a static web app. Configured in the **`staticwebapp.config.json`** file, they control URL rewriting, redirections, access restrictions, and role-based authorization, ensuring proper resource handling and security.

@@ -60,6 +60,11 @@ Some example:
      "route": "/admin",
      "redirect": "/login",
      "statusCode": 302
+    },
+    {
+      "route": "/google",
+      "redirect": "https://google.com",
+      "statusCode": 307
    }
  ],
  "navigationFallback": {
@@ -76,6 +81,10 @@ Note how it's possible to **protect a path with a role**, then, users will need

 The staging URL has this format: `https://<app-subdomain>-<PR-num>.<region>.<res-of-app-domain>` like: `https://ambitious-plant-0f764e00f-2.eastus2.4.azurestaticapps.net`

+### Snippets
+
+It's possible to store HTML snippets inside a static web app that will be loaded inside the app. This can be used to **inject malicious code** into the app, like a **JS code to steal credentials**, a **keylogger**... More info in the privleges escalation section.
+
 ### Managed Identities

 Azure Static Web Apps can be configured to use **managed identities**, however, as mentioned in [this FAQ](https://learn.microsoft.com/en-gb/azure/static-web-apps/faq#does-static-web-apps-support-managed-identity-) they are only supported to **extract secrets from Azure Key Vault for authentication purposes, not to access other Azure resources**.
@@ -84,9 +93,8 @@ For more info you can find an Azure guide use a vault secret in a static app in

 ## Enumeration

-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
 ```bash
 # List Static Webapps
 az staticwebapp list --output table
@@ -118,12 +126,10 @@ az rest --method POST \
 # Check connected backends
 az staticwebapp backends show --name <name> --resource-group <res-group>
 ```
-{% endcode %}
-{% endtab %}
+{{#endtab }}

-{% tab title="Az PowerShell" %}
-{% code overflow="wrap" %}
-```powershell
+{{#tab name="Az Powershell" }}
+```bash
 Get-Command -Module Az.Websites

 # Retrieves details of a specific Static Web App in the specified resource group.
@@ -166,9 +172,8 @@ Get-AzStaticWebAppUser -ResourceGroupName <ResourceGroupName> -Name <Name> -Auth
 Get-AzStaticWebAppUserProvidedFunctionApp -ResourceGroupName <ResourceGroupName> -Name <Name> 

 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+{{#endtab }}
+{{#endtabs }}


 ## Examples to generate Web Apps