Azure Logic Apps is a cloud-based service provided by Microsoft Azure that enables developers to create and run workflows that integrate various services, data sources, and applications. These workflows are designed to automate business processes, orchestrate tasks, and perform data integrations across different platforms.
Logic Apps provides a visual designer to create workflows with a wide range of pre-built connectors, which makes it easy to connect to and interact with various services, such as Office 365, Dynamics CRM, Salesforce, and many others. You can also create custom connectors for your specific needs.
Examples
Automating Data Pipelines: Logic Apps can automate data transfer and transformation processes in combination with Azure Data Factory. This is useful for creating scalable and reliable data pipelines that move and transform data between various data stores, like Azure SQL Database and Azure Blob Storage, aiding in analytics and business intelligence operations.
Integrating with Azure Functions: Logic Apps can work alongside Azure Functions to develop sophisticated, event-driven applications that scale as needed and integrate seamlessly with other Azure services. An example use case is using a Logic App to trigger an Azure Function in response to certain events, such as changes in an Azure Storage account, allowing for dynamic data processing.
Visualize a LogicAPP
It's possible to view a LogicApp with graphics:
or to check the code in the "Logic app code view" section.
SSRF Protection
Even if you find the Logic App vulnerable to SSRF, you won't be able to access the credentials from the metadata as Logic Apps doesn't allow that.
For example, something like this won't return the token:
# The URL belongs to a Logic App vulenrable to SSRFcurl -XPOST 'https://prod-44.westus.logic.azure.com:443/workflows/2d8de4be6e974123adf0b98159966644/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=_8_oqqsCXc0u2c7hNjtSZmT0uM4Xi3hktw6Uze0O34s' -d '{"url": "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"}' -H "Content-type: application/json" -v
Enumeration
# Listazlogicworkflowlist--resource-group<ResourceGroupName>--subscription<SubscriptionID>--outputtable# Get infoazlogicworkflowshow--name<LogicAppName>--resource-group<ResourceGroupName>--subscription<SubscriptionID># Get Logic App configaz logic workflow definition show --name <LogicAppName> --resource-group <ResourceGroupName> --subscription <SubscriptionID>
# Get service ppal usedaz logic workflow identity show --name <LogicAppName> --resource-group <ResourceGroupName> --subscription <SubscriptionID>
# ListGet-AzLogicApp-ResourceGroupName <ResourceGroupName># Get infoGet-AzLogicApp-ResourceGroupName <ResourceGroupName>-Name <LogicAppName># Get Logic App config(Get-AzLogicApp-ResourceGroupName <ResourceGroupName>-Name <LogicAppName>).Definition |ConvertTo-Json# Get service ppal used(Get-AzLogicApp-ResourceGroupName <ResourceGroupName>-Name <LogicAppName>).Identity
