Az - Static Web Apps

Static Web Apps Basic Information

Azure Static Web Apps is a cloud service for hosting static web apps with automatic CI/CD from repositories like GitHub. It offers global content delivery, serverless backends, and built-in HTTPS, making it secure and scalable. However, even if the service is called "static", it doesn't mean it's completely safe. Risks include misconfigured CORS, insufficient authentication, and content tampering, which can expose apps to attacks like XSS and data leakage if not properly managed.

Deployment Authentication

• Deployment token: A token is generated and used to authenticate the deployment process. Anyone with this token is enough to deploy a new version of the app. A Github Action is deployed automatically in the repo with the token in a secret to deploy a new version of the app every time the repo is updated.
• GitHub Actions workflow: In this case a very similar Github Action is also deployed in the repo and the token is also stored in a secret. However, this Github Action has a difference, it uses the actions/github-script@v6 action to get the IDToken of repository and use it to deploy the app.
  • Even If in both cases the action Azure/static-web-apps-deploy@v1 is used with a token in the azure_static_web_apps_api_token param, in this second case a random token with a format valid like 12345cbb198a77a092ff885781a62a15d51ef5e3654ca11234509ab54547270704-4140ccee-e04f-424f-b4ca-3d4dd123459c00f0702071d12345 is just enough to deploy the app as the authorization is done with the IDToken in the github_id_token param.

Web App Basic Authentication

It's possible to configure a password to access the Web App. The web console allows to configure it to protect only staging environments or both staging and the production one.

This is how at the time of writing a password protected web app looks like:

It's possible to see if any password is being used and which environments are protected with:

az rest --method GET \
--url "/subscriptions/<subscription-id>/resourceGroups/Resource_Group_1/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2024-04-01"

However, this won't show the password in clear text, just something like: "password": "**********************".

### Routes & Roles

Routes define how incoming HTTP requests are handled within a static web app. Configured in the staticwebapp.config.json file, they control URL rewriting, redirections, access restrictions, and role-based authorization, ensuring proper resource handling and security.

Some example:

{
  "routes": [
    {
      "route": "/",
      "rewrite": "/index.html"
    },
    {
      "route": "/about",
      "rewrite": "/about.html"
    },
    {
      "route": "/api/*",
      "allowedRoles": ["authenticated"]
    },
    {
      "route": "/admin",
      "redirect": "/login",
      "statusCode": 302
    }
  ],
  "navigationFallback": {
    "rewrite": "/index.html",
    "exclude": ["/api/*", "/assets/*"]
  }
}

Note how it's possible to protect a path with a role, then, users will need to authenticate to the app and be granted that role to access the path. It's also possible to create invitations granting specific roles to specific users login via EntraID, Facebook, GitHub, Google, Twitter which might be useful to escalate privileges within the app.

The staging URL has this format: https://<app-subdomain>-<PR-num>.<region>.<res-of-app-domain> like: https://ambitious-plant-0f764e00f-2.eastus2.4.azurestaticapps.net

Managed Identities

Azure Static Web Apps can be configured to use managed identities, however, as mentioned in this FAQ they are only supported to extract secrets from Azure Key Vault for authentication purposes, not to access other Azure resources.

For more info you can find an Azure guide use a vault secret in a static app in https://learn.microsoft.com/en-us/azure/static-web-apps/key-vault-secrets.

Enumeration

# List Static Webapps
az staticwebapp list --output table

# Get Static Webapp details
az staticwebapp show --name <name> --resource-group <res-group> --output table

# Get appsettings
az staticwebapp appsettings list --name <name>

# Get env information
az staticwebapp environment list --name <name>
az staticwebapp environment functions --name <name>

# Get API key
az staticwebapp secrets list --name <name>

# Get invited users
az staticwebapp users list --name <name>

# Get database connections
az rest --method GET \
  --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections?api-version=2021-03-01"

## Once you have the database connection name ("default" by default) you can get the connection string with the credentials
az rest --method POST \
  --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections/default/show?api-version=2021-03-01"

# Check connected backends
az staticwebapp backends show --name <name> --resource-group <res-group>

Examples to generate Web Apps

You cna find a nice example to generate a web app in the following link: https://learn.microsoft.com/en-us/azure/static-web-apps/get-started-portal?tabs=react&pivots=github

1. Fork the repository https://github.com/staticwebdev/react-basic/generate to your GitHub account and name it my-first-static-web-app
2. In the Azure portal create a Static Web App configuring the Github access and selecting th previously forked new repository
3. Create it, and wait some minutes, and check your new page!

Privilege Escalation and Post Exploitation

All the information about privilege escalation and post exploitation in Azure Static Web Apps can be found in the following link:

Az - Static Web App Privesc

References

• https://learn.microsoft.com/en-in/azure/app-service/overview
• https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans