Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Azure’s Weakest Link? How API Connections Spill Secrets
Haakon Holm Gulbrandsrud - Binary SecurityPosted 11 Months Ago- Azure API connections allow for cloud-based access to an API behind a logged-in proxy. This allowed for the website to not worry about OAuth dance on Slack and other types of apps. They contain different roles, such as
reader. - While reviewing one of the requests, they noticed two fields:
testLinksandtestRequests. This was a generalized way to test the APIs to ensure they were functional. In the case of a credential change, this would be a useful thing for the application and user to know. - The developer specifies the
pathof the request and the method to use. Unfortunately, this is too generic. This is just a proxy now! Any path can be specified, even if the role shouldn't have access to it. This is a case of a user being able to control information they shouldn't because the developer made it modular. - Using this, the reader could query more sensitive information than intended on data resources. Azure key vaults, SQL database queries, Jira information, and other extra data could be queried. From what I gathered, the user needs the reader's permission to do this. So, a privilege escalation in the same account but nothing more.
- The response was funny to me. Initially, it was closed but the author reopened the issue to get it approved. They reported these as two findings: one got paid out and another closed as a duplicate. Overall, good write-up!
