Az - App Services

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

App Service Basic Information

Azure App Services enables developers to build, deploy, and scale web applications, mobile app backends, and APIs seamlessly. It supports multiple programming languages and integrates with various Azure tools and services for enhanced functionality and management.

Each app runs inside a sandbox but isolation depends upon App Service plans

Apps in Free and Shared tiers run on shared VMs
Apps in Standard and Premium tiers run on dedicated VMs

{% hint style="warning" %} Note that none of those isolations prevents other common web vulnerabilities (such as file upload, or injections). And if a management identity is used, it could be able to esalate privileges to them. {% endhint %}

Azure Function Apps

Basically Azure Function apps are a subset of Azure App Service in the web and if you go to the web console and list all the app services or execute az webapp list in az cli you will be able to see the Function apps also listed here.

Actually some of the security related features App services use (webapp in the az cli), are also used by Function apps.

Basic Authentication

When creating a web app (and a Azure function usually) it's possible to indicate if you want Basic Authentication to be enabled. This basically enables SCM and FTP for the application so it'll be possible to deploy the application using those technologies.
Moreover in order to connect to them, Azure provides an API that allows to get the username, password and URL to connect to the SCM and FTP servers.

Authentication: az webapp auth show --name lol --resource-group lol_group

SSH

Always On

Debugging

Enumeration

{% tabs %} {% tab title="az" %} {% code overflow="wrap" %}

# List webapps
az webapp list

## Less information
az webapp list --query "[].{hostName: defaultHostName, state: state, name: name, resourcegroup: resourceGroup}"

# Get info about 1 app
az webapp show --name <name> --resource-group <res-group>

# Get instances of a webapp
az webapp list-instances --name <name> --resource-group <res-group>
## If you have enough perm you can go to the "consoleUrl" and access a shell inside the instance form the web

# Get configured Auth information
az webapp auth show --name <app-name> --resource-group <res-group>

# Get access restrictions of an app
az webapp config access-restriction show --name <name> --resource-group <res-group>

# Remove access restrictions
az webapp config access-restriction remove --resource-group <res-group> -n <name> --rule-name <rule-name>

# Get appsettings of an app
az webapp config appsettings list --name <name> --resource-group <res-group>

# Get backups of a webapp
az webapp config backup list --webapp-name <name> --resource-group <res-group>

# Get backups scheduled for a webapp
az webapp config backup show --webapp-name <name> --resource-group <res-group>  

# Get snapshots
az webapp config snapshot list --resource-group <res-group> -n <name>

# Restore snapshot
az webapp config snapshot restore -g <res-group> -n <name> --time 2018-12-11T23:34:16.8388367

# Get connection strings of a webapp
az webapp config connection-string list --name <name> --resource-group <res-group>

# Get used container by the app
az webapp config container show --name <name> --resource-group <res-group>

# Get storage account configurations of a webapp
az webapp config storage-account list --name <name> --resource-gl_group








# List all the functions
az functionapp list

# Get info of 1 funciton (although in the list you already get this info)
az functionapp show --name <app-name> --resource-group <res-group>
## If "linuxFxVersion" has something like: "DOCKER|mcr.microsoft.com/..."
## This is using a container

# Get details about the source of the function code
az functionapp deployment source show \
  --name <app-name> \
  --resource-group <res-group>
## If error like "This is currently not supported."
## Then, this is probalby using a container

# Get more info if a container is being used
az functionapp config container show \
  --name <name> \
  --resource-group <res-group>
  
# Get settings (and privesc to the sorage account)
az functionapp config appsettings list --name <app-name> --resource-group <res-group>

# Check if a domain was assigned to a function app
az functionapp config hostname list --webapp-name <app-name> --resource-group <res-group>

# Get SSL certificates
az functionapp config ssl list --resource-group <res-group>

# Get network restrictions
az functionapp config access-restriction show --name <app-name> --resource-group <res-group>

# Get more info about a function (invoke_url_template is the URL to invoke and script_href allows to see the code)
az rest --method GET \
  --url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions?api-version=2024-04-01"

# Get source code with Master Key of the function
curl "<script_href>?code=<master-key>"
## Python example
curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" -v
  
# Get source code
az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"

{% endcode %} {% endtab %}

{% tab title="Az Powershell" %}

# Get App Services and Function Apps
Get-AzWebApp
# Get only App Services
Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}

{% endtab %}

{% tab title="az get all" %} {% code overflow="wrap" %}

#!/bin/bash

# Get all App Service and Function Apps

# Define Azure subscription ID
azure_subscription="your_subscription_id"

# Log in to Azure
az login

# Select Azure subscription
az account set --subscription $azure_subscription

# Get all App Services in the specified subscription
list_app_services=$(az appservice list --query "[].{appServiceName: name, group: resourceGroup}" -o tsv)

# Iterate over each App Service
echo "$list_app_services" | while IFS=$'\t' read -r appServiceName group; do
  # Get the type of the App Service
  service_type=$(az appservice show --name $appServiceName --resource-group $group --query "kind" -o tsv)

  # Check if it is a Function App and print its name
  if [ "$service_type" == "functionapp" ]; then
    echo "Function App Name: $appServiceName"
  fi
done

{% endcode %} {% endtab %} {% endtabs %}

Obtain credentials & get access to the webapp code

# Get connection strings that could contain credentials (with DBs for example)
az webapp config connection-string list --name <name> --resource-group <res-group>
## Check how to use the DBs connection strings in the SQL page

# Get credentials to access the code and DB credentials if configured.
az webapp deployment list-publishing-profiles --resource-group <res-group> -n <name>


# Get git URL to access the code
az webapp deployment source config-local-git --resource-group <res-group> -n <name>

# Access/Modify the code via git
git clone 'https://<username>:<password>@name.scm.azurewebsites.net/repo-name.git'
## In my case the username was: $nameofthewebapp and the password some random chars
## If you change the code and do a push, the app is automatically redeployed

Privilege Escalation

{% content-ref url="../az-privilege-escalation/az-app-services-privesc.md" %} az-app-services-privesc.md {% endcontent-ref %}

References

https://learn.microsoft.com/en-in/azure/app-service/overview