GITBOOK-738: No subject

pentesting-cloud/azure-security/az-services/az-function-apps.md

@@ -39,6 +39,8 @@ Moreover, whenever a new instance of the app needs to run, the **code of the app
 This is very interesting from an attackers perspective as **write access over this bucket** will allow an attacker to **compromise the code and escalate privileges** to the managed identities inside the Function App.
 {% endhint %}
 
+It's also possible to find the **master and functions keys** stored in the storage account in the container **`azure-webjobs-secrets`** inside the folder **`<app-name>`** in the JSON files you can find inside.
+
 ### Networking
 
 * It's possible to give access to a function to all Internet without requiring any authentication or give access IAM based
@@ -56,12 +58,15 @@ it's possible to configure environment variables inside an app. Moreover, by def
 
 Inside the sandbox the source code is located in **`/home/site/wwwroot`** in the file **`function_app.py`** (if python is used) the user running the code is **`app`** (without sudo permissions).
 
-
-
 ### **Managed Identities**
 
-Moreover Function App might have certain endpoints that require a certain level of authentication, such as "admin" or "anonymous".\
-An attacker could try to access the **anonymous allowed endpoints** to bypass the restrictions and gain access to sensitive data or functionality.
+Just like [**VMs**](vms/), Functions can have **Managed Identities** of 2 types: System assigned and User assigned.
+
+The **system assigned** on will be a managed identity that **only the function** that has it assigned will be able to use, while the **user assigned** managed identities are managed identities that **any other Azure service will be able to use**.
+
+{% hint style="info" %}
+Just like in [**VMs**](vms/), Functions can have **1 system assigned** managed identity and **several user assigned** ones, so it's always important to try to find all of them if you compromise the function because you might be able to escalate privileges to several managed identities from just one Function.
+{% endhint %}
 
 ## Access Keys
 
@@ -98,8 +103,8 @@ az functionapp list
 
 # Get info of 1 funciton (although in the list you already get this info)
 az functionapp show --name <app-name> --resource-group <res-group>
-
-# Get env variables (and privesc tot he sorage account)
+  
+# Get settings (and privesc to the sorage account)
 az functionapp config appsettings list --name <app-name> --resource-group <res-group>
 
 # Check if a domain was assigned to a function app
@@ -110,6 +115,18 @@ az functionapp config ssl list --resource-group <res-group>
 
 # Get network restrictions
 az functionapp config access-restriction show --name <app-name> --resource-group <res-group>
+
+# Get more info about a function (invoke_url_template is the URL to invoke and script_href allows to see the code)
+az rest --method GET \
+  --url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions?api-version=2024-04-01"
+
+# Get source code with Master Key of the function
+curl "<script_href>?code=<master-key>"
+## Python example
+curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" -v
+  
+# Get source code
+az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
 ```
 {% endcode %}