Az Static Web Apps

Reading time: 8 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Static Web Apps Basic Information

Azure Static Web Apps ni huduma ya wingu kwa ajili ya kuhost static web apps with automatic CI/CD from repositories like GitHub. Inatoa usambazaji wa maudhui duniani kote, backends zisizo na seva, na HTTPS iliyojengwa ndani, ikifanya iwe salama na inayoweza kupanuka. Hata hivyo, ingawa huduma inaitwa "static", haimaanishi kuwa ni salama kabisa. Hatari ni pamoja na CORS zisizo na usahihi, uthibitishaji usio na kutosha, na uharibu wa maudhui, ambayo yanaweza kufichua apps kwa mashambulizi kama XSS na uvujaji wa data ikiwa hayataendeshwa ipasavyo.

Deployment Authentication

tip

Wakati App ya Static inaundwa unaweza kuchagua deployment authorization policy kati ya Deployment token na GitHub Actions workflow.

Deployment token: Token inaundwa na kutumika kuthibitisha mchakato wa uhamasishaji. Mtu yeyote mwenye token hii inatosha kuhamasisha toleo jipya la app. Github Action inahamishwa kiotomatiki katika repo na token katika siri ili kuhamasisha toleo jipya la app kila wakati repo inasasishwa.
GitHub Actions workflow: Katika kesi hii, Github Action inayofanana sana pia inahamishwa katika repo na token pia inahifadhiwa katika siri. Hata hivyo, Github Action hii ina tofauti, inatumia actions/github-script@v6 kuchukua IDToken ya repository na kuitumia kuhamasisha app.
Hata kama katika kesi zote mbili hatua Azure/static-web-apps-deploy@v1 inatumika na token katika param ya azure_static_web_apps_api_token, katika kesi hii ya pili token ya nasibu yenye muundo sahihi kama 12345cbb198a77a092ff885781a62a15d51ef5e3654ca11234509ab54547270704-4140ccee-e04f-424f-b4ca-3d4dd123459c00f0702071d12345 inatosha kuhamasisha app kwani uthibitishaji unafanywa na IDToken katika param ya github_id_token.

Web App Basic Authentication

Inawezekana kuweka nenosiri ili kufikia Web App. Kihifadhi cha wavuti kinaruhusu kuikamilisha ili kulinda mazingira ya majaribio pekee au mazingira yote ya majaribio na uzalishaji.

Hivi ndivyo wakati wa kuandika app ya wavuti iliyo na nenosiri inavyoonekana:

Inawezekana kuona kama nenosiri lolote linatumika na ni mazingira gani yanayolindwa na:

bash

az rest --method GET \
--url "/subscriptions/<subscription-id>/resourceGroups/Resource_Group_1/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2024-04-01"

Hata hivyo, hii haitaonyesha nenosiri kwa maandiko wazi, bali kitu kama: "password": "**********************".

Routes and Roles

Routes zinafafanua jinsi maombi ya HTTP yanayokuja yanavyoshughulikiwa ndani ya programu ya wavuti isiyohamishika. Zimewekwa katika faili staticwebapp.config.json, zinadhibiti upya URL, mwelekeo, vizuizi vya ufikiaji, na ruhusa kulingana na majukumu, kuhakikisha usimamizi mzuri wa rasilimali na usalama.

Mfano baadhi:

json

{
"routes": [
{
"route": "/",
"rewrite": "/index.html"
},
{
"route": "/about",
"rewrite": "/about.html"
},
{
"route": "/api/*",
"allowedRoles": ["authenticated"]
},
{
"route": "/admin",
"redirect": "/login",
"statusCode": 302
},
{
"route": "/google",
"redirect": "https://google.com",
"statusCode": 307
}
],
"navigationFallback": {
"rewrite": "/index.html",
"exclude": ["/api/*", "/assets/*"]
}
}

Note jinsi inavyowezekana kulinda njia kwa jukumu, kisha, watumiaji watahitaji kuthibitisha kwenye programu na kupewa jukumu hilo ili kufikia njia hiyo. Pia inawezekana kuunda mialiko inayotoa majukumu maalum kwa watumiaji maalum kuingia kupitia EntraID, Facebook, GitHub, Google, Twitter ambayo inaweza kuwa na manufaa katika kupandisha hadhi ndani ya programu.

tip

Kumbuka kwamba inawezekana kuunda mipangilio ya Programu ili mabadiliko kwenye faili staticwebapp.config.json yasikubalike. Katika kesi hii, huenda haitoshi kubadilisha faili kutoka Github, bali pia kubadilisha mipangilio katika Programu.

URL ya staging ina muundo huu: https://<app-subdomain>-<PR-num>.<region>.<res-of-app-domain> kama: https://ambitious-plant-0f764e00f-2.eastus2.4.azurestaticapps.net

Snippets

Inawezekana kuhifadhi snippets za HTML ndani ya programu ya wavuti ya static ambayo itapakiwa ndani ya programu. Hii inaweza kutumika kuingiza msimbo mbaya ndani ya programu, kama msimbo wa JS wa kuiba akidi, keylogger... Maelezo zaidi katika sehemu ya kupandisha hadhi.

Managed Identities

Azure Static Web Apps zinaweza kuundwa kutumia identities zinazodhibitiwa, hata hivyo, kama ilivyotajwa katika hii FAQ zinasaidiwa tu kutoa siri kutoka Azure Key Vault kwa madhumuni ya uthibitishaji, sio kufikia rasilimali nyingine za Azure.

Kwa maelezo zaidi unaweza kupata mwongozo wa Azure kutumia siri ya vault katika programu ya static katika https://learn.microsoft.com/en-us/azure/static-web-apps/key-vault-secrets.

Enumeration

bash

# List Static Webapps
az staticwebapp list --output table

# Get Static Webapp details
az staticwebapp show --name <name> --resource-group <res-group> --output table

# Get appsettings
az staticwebapp appsettings list --name <name>

# Get env information
az staticwebapp environment list --name <name>
az staticwebapp environment functions --name <name>

# Get API key
az staticwebapp secrets list --name <name>

# Get invited users
az staticwebapp users list --name <name>

# Get current snippets
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/trainingdemo/snippets?api-version=2022-03-01"

# Get database connections
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections?api-version=2021-03-01"

## Once you have the database connection name ("default" by default) you can get the connection string with the credentials
az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections/default/show?api-version=2021-03-01"

# Check connected backends
az staticwebapp backends show --name <name> --resource-group <res-group>

bash

Get-Command -Module Az.Websites

# Retrieves details of a specific Static Web App in the specified resource group.
Get-AzStaticWebApp -ResourceGroupName <ResourceGroupName> -Name <Name>

# Retrieves the build details for a specific Static Web App.
Get-AzStaticWebAppBuild -ResourceGroupName <ResourceGroupName> -Name <Name>

# Retrieves the application settings for a specific build environment in a Static Web App.
Get-AzStaticWebAppBuildAppSetting -ResourceGroupName <ResourceGroupName> -Name <Name> -EnvironmentName <EnvironmentName>

# Retrieves functions for a specific build environment in a Static Web App.
Get-AzStaticWebAppBuildFunction -ResourceGroupName <ResourceGroupName> -Name <Name> -EnvironmentName <EnvironmentName>

# Retrieves function app settings for a specific build environment in a Static Web App.
Get-AzStaticWebAppBuildFunctionAppSetting -ResourceGroupName <ResourceGroupName> -Name <Name> -EnvironmentName <EnvironmentName>

# Retrieves the configured roles for a Static Web App.
Get-AzStaticWebAppConfiguredRole -ResourceGroupName <ResourceGroupName> -Name <Name>

# Retrieves the custom domains configured for a Static Web App.
Get-AzStaticWebAppCustomDomain -ResourceGroupName <ResourceGroupName> -Name <Name>

# Retrieves details of the functions associated with a Static Web App.
Get-AzStaticWebAppFunction -ResourceGroupName <ResourceGroupName> -Name <Name>

# Retrieves the app settings for the function app associated with a Static Web App.
Get-AzStaticWebAppFunctionAppSetting -ResourceGroupName <ResourceGroupName> -Name <Name>

# Retrieves the secrets for a Static Web App.
Get-AzStaticWebAppSecret -ResourceGroupName <ResourceGroupName> -Name <Name>

# Retrieves general app settings for a Static Web App.
Get-AzStaticWebAppSetting -ResourceGroupName <ResourceGroupName> -Name <Name>

# Retrieves user details for a Static Web App with a specified authentication provider.
Get-AzStaticWebAppUser -ResourceGroupName <ResourceGroupName> -Name <Name> -AuthProvider <AuthProvider>

# Retrieves user-provided function apps associated with a Static Web App.
Get-AzStaticWebAppUserProvidedFunctionApp -ResourceGroupName <ResourceGroupName> -Name <Name>

Mifano ya kuunda Web Apps

Unaweza kupata mfano mzuri wa kuunda web app katika kiungo kinachofuata: https://learn.microsoft.com/en-us/azure/static-web-apps/get-started-portal?tabs=react&pivots=github

Fork repository https://github.com/staticwebdev/react-basic/generate kwenye akaunti yako ya GitHub na uiite my-first-static-web-app
Katika portal ya Azure, tengeneza Static Web App ukichagua ufikiaji wa Github na kuchagua repository mpya iliyoforked hapo awali
Iunda, na subiri dakika chache, na angalia ukurasa wako mpya!

Kuinua Mamlaka na Baada ya Utekelezaji

Taarifa zote kuhusu kuinua mamlaka na baada ya utekelezaji katika Azure Static Web Apps zinaweza kupatikana katika kiungo kinachofuata:

Az - Static Web App Privesc

Marejeleo

tip

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

HackTricks Cloud