Links

Az - Azure App Service & Function Apps

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

App Service Basic Information

From the docs: Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favourite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.
Each app runs inside a sandbox but isolation depends upon App Service plans
  • Apps in Free and Shared tiers run on shared VMs
  • Apps in Standard and Premium tiers run on dedicated VMs
Note that none of those isolations prevents other common web vulnerabilities (such as file upload, or injections). And if a management identity is used, it could be able to compromise its permissions.

Enumeration

az
Az Powershell
az get all
# List webapps
az webapp list
## Less information
az webapp list --query "[].{hostName: defaultHostName, state: state, name: name, resourcegroup: resourceGroup}"
# Get access restrictions
az webapp config access-restriction show --resource-group <res-group> -n <name>
# Remove access restrictions
az webapp config access-restriction remove --resource-group <res-group> -n <name> --rule-name <rule-name>
# Get snapshots
az webapp config snapshot list --resource-group <res-group> -n <name>
# Restore snapshot
az webapp config snapshot restore -g <res-group> -n <name> --time 2018-12-11T23:34:16.8388367
# Restart webapp
az webapp restart --name <name> --resource-group <res-group>
# Get App Services and Function Apps
Get-AzWebApp
# Get only App Services
Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
#!/bin/bash
# Get all App Service and Function Apps
# Define Azure subscription ID
azure_subscription="your_subscription_id"
# Log in to Azure
az login
# Select Azure subscription
az account set --subscription $azure_subscription
# Get all App Services in the specified subscription
list_app_services=$(az appservice list --query "[].{appServiceName: name, group: resourceGroup}" -o tsv)
# Iterate over each App Service
echo "$list_app_services" | while IFS=$'\t' read -r appServiceName group; do
# Get the type of the App Service
service_type=$(az appservice show --name $appServiceName --resource-group $group --query "kind" -o tsv)
# Check if it is a Function App and print its name
if [ "$service_type" == "functionapp" ]; then
echo "Function App Name: $appServiceName"
fi
done

Obtain credentials & get access to the webapp code

# Get connection strings that could contain credentials (with DBs for example)
az webapp config connection-string list --name <name> --resource-group <res-group>
## Check how to use the DBs connection strings in the SQL page
# Get credentials to access the code and DB credentials if configured.
az webapp deployment list-publishing-profiles --resource-group <res-group> -n <name>
# Get git URL to access the code
az webapp deployment source config-local-git --resource-group <res-group> -n <name>
# Access/Modify the code via git
git clone 'https://<username>:<password>@name.scm.azurewebsites.net/repo-name.git'
## In my case the username was: $nameofthewebapp and the password some random chars
## If you change the code and do a push, the app is automatically redeployed

Access to the Docker container with the webapp via ssh:

# Get ssh session
az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME>
## If successfull you will get a message such as:
#Verifying if app is running....
#App is running. Trying to establish tunnel connection...
#Opening tunnel on port: 39895
#SSH is available { username: root, password: Docker! }
## So from that machine ssh into that port (you might need generate a new ssh session to the jump host)
ssh [email protected] -p 39895

Function Apps Basic Information

Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.
In the Azure portal, integration between Azure Functions and Azure API Management is facilitated, allowing HTTP trigger function endpoints to be exposed as REST APIs. The APIs exposed in this manner are described using an OpenAPI definition, providing a standard, language-agnostic interface to RESTful APIs.
Function Apps support Managed Identities.
Moreover Function App might have certain endpoints that require a certain level of authentication, such as "admin" or "anonymous". An attacker could try to access the anonymous allowed endpoints to bypass the restrictions and gain access to sensitive data or functionality.

Enumeration

# Get only Function Apps
Get-AzFunctionApp

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: