HackTricks CloudAz - Static Web Apps
Reading time: 8 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Static Web Apps Basic Information
Azure Static Web Apps ni huduma ya wingu kwa ajili ya kuhost static web apps with automatic CI/CD from repositories like GitHub. Inatoa usambazaji wa maudhui duniani kote, backends zisizo na seva, na HTTPS iliyojengwa ndani, ikifanya iwe salama na inayoweza kupanuka. Hata hivyo, ingawa huduma inaitwa "static", haimaanishi kuwa ni salama kabisa. Hatari ni pamoja na CORS zisizo sahihi, uthibitishaji usiofaa, na uharibu wa maudhui, ambayo yanaweza kufichua apps kwa mashambulizi kama XSS na data leakage ikiwa hayataendeshwa ipasavyo.
Deployment Authentication
tip
Wakati App ya Static inaundwa unaweza kuchagua deployment authorization policy kati ya Deployment token na GitHub Actions workflow.
- Deployment token: Token inaundwa na kutumika kuthibitisha mchakato wa uhamasishaji. Mtu yeyote mwenye token hii inatosha kuhamasisha toleo jipya la app. Github Action inahamishwa kiotomatiki katika repo na token katika siri ili kuhamasisha toleo jipya la app kila wakati repo inasasishwa.
- GitHub Actions workflow: Katika kesi hii, Github Action inayofanana sana pia inahamishwa katika repo na token pia inahifadhiwa katika siri. Hata hivyo, Github Action hii ina tofauti, inatumia
actions/github-script@v6action kupata IDToken ya repository na kuitumia kuhamasisha app. - Hata kama katika kesi zote mbili action
Azure/static-web-apps-deploy@v1inatumika na token katika param yaazure_static_web_apps_api_token, katika kesi hii ya pili token ya nasibu yenye muundo sahihi kama12345cbb198a77a092ff885781a62a15d51ef5e3654ca11234509ab54547270704-4140ccee-e04f-424f-b4ca-3d4dd123459c00f0702071d12345inatosha kuhamasisha app kwani uthibitishaji unafanywa na IDToken katika param yagithub_id_token.
Web App Basic Authentication
Inawezekana kuweka nenosiri ili kufikia Web App. Kihifadhi cha wavuti kinaruhusu kuikamilisha ili kulinda mazingira ya staging pekee au mazingira yote ya staging na uzalishaji.
Hivi ndivyo wakati wa kuandika app ya wavuti iliyo na nenosiri inavyoonekana:
Inawezekana kuona kama nenosiri lolote linatumika na ni mazingira gani yanayolindwa na:
az rest --method GET \
--url "/subscriptions/<subscription-id>/resourceGroups/Resource_Group_1/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2024-04-01"
Hata hivyo, hii haitaonyesha nenosiri kwa maandiko wazi, bali kitu kama: "password": "**********************".
Routes & Roles
Routes zinafafanua jinsi maombi ya HTTP yanayokuja yanavyoshughulikiwa ndani ya programu ya wavuti isiyohamishika. Zimewekwa katika faili staticwebapp.config.json, zinadhibiti uandishi wa URL, mwelekeo, vizuizi vya ufikiaji, na mamlaka kulingana na majukumu, kuhakikisha usimamizi mzuri wa rasilimali na usalama.
Mfano baadhi:
{
"routes": [
{
"route": "/",
"rewrite": "/index.html"
},
{
"route": "/about",
"rewrite": "/about.html"
},
{
"route": "/api/*",
"allowedRoles": ["authenticated"]
},
{
"route": "/admin",
"redirect": "/login",
"statusCode": 302
}
],
"navigationFallback": {
"rewrite": "/index.html",
"exclude": ["/api/*", "/assets/*"]
}
}
Note jinsi inavyowezekana kulinda njia kwa jukumu, kisha, watumiaji watahitaji kuthibitisha kwenye programu na kupewa jukumu hilo ili kufikia njia hiyo. Pia inawezekana kuunda mwaliko unaotoa majukumu maalum kwa watumiaji maalum kuingia kupitia EntraID, Facebook, GitHub, Google, Twitter ambayo yanaweza kuwa na manufaa kuongeza mamlaka ndani ya programu.
tip
Kumbuka kwamba inawezekana kuunda mipangilio ya Programu ili mabadiliko kwenye staticwebapp.config.json hayakubaliwi. Katika kesi hii, huenda haitoshi kubadilisha tu faili kutoka Github, bali pia kubadilisha mipangilio kwenye Programu.
URL ya hatua ina muundo huu: https://<app-subdomain>-<PR-num>.<region>.<res-of-app-domain> kama: https://ambitious-plant-0f764e00f-2.eastus2.4.azurestaticapps.net
Identiti Zinazodhibitiwa
Azure Static Web Apps zinaweza kuundwa kutumia identiti zinazodhibitiwa, hata hivyo, kama ilivyotajwa katika maswali haya ya mara kwa mara zinasaidiwa tu kutoa siri kutoka Azure Key Vault kwa madhumuni ya uthibitishaji, sio kufikia rasilimali nyingine za Azure.
Kwa maelezo zaidi unaweza kupata mwongozo wa Azure kutumia siri ya vault katika programu ya static katika https://learn.microsoft.com/en-us/azure/static-web-apps/key-vault-secrets.
Uhesabuji
{% tabs %} {% tab title="az cli" %} {% code overflow="wrap" %}
# List Static Webapps
az staticwebapp list --output table
# Get Static Webapp details
az staticwebapp show --name <name> --resource-group <res-group> --output table
# Get appsettings
az staticwebapp appsettings list --name <name>
# Get env information
az staticwebapp environment list --name <name>
az staticwebapp environment functions --name <name>
# Get API key
az staticwebapp secrets list --name <name>
# Get invited users
az staticwebapp users list --name <name>
# Get database connections
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections?api-version=2021-03-01"
## Once you have the database connection name ("default" by default) you can get the connection string with the credentials
az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections/default/show?api-version=2021-03-01"
# Check connected backends
az staticwebapp backends show --name <name> --resource-group <res-group>
{% endcode %} {% endtab %}
{% tab title="Az PowerShell" %} {% code overflow="wrap" %}
Get-Command -Module Az.Websites
# Retrieves details of a specific Static Web App in the specified resource group.
Get-AzStaticWebApp -ResourceGroupName <ResourceGroupName> -Name <Name>
# Retrieves the build details for a specific Static Web App.
Get-AzStaticWebAppBuild -ResourceGroupName <ResourceGroupName> -Name <Name>
# Retrieves the application settings for a specific build environment in a Static Web App.
Get-AzStaticWebAppBuildAppSetting -ResourceGroupName <ResourceGroupName> -Name <Name> -EnvironmentName <EnvironmentName>
# Retrieves functions for a specific build environment in a Static Web App.
Get-AzStaticWebAppBuildFunction -ResourceGroupName <ResourceGroupName> -Name <Name> -EnvironmentName <EnvironmentName>
# Retrieves function app settings for a specific build environment in a Static Web App.
Get-AzStaticWebAppBuildFunctionAppSetting -ResourceGroupName <ResourceGroupName> -Name <Name> -EnvironmentName <EnvironmentName>
# Retrieves the configured roles for a Static Web App.
Get-AzStaticWebAppConfiguredRole -ResourceGroupName <ResourceGroupName> -Name <Name>
# Retrieves the custom domains configured for a Static Web App.
Get-AzStaticWebAppCustomDomain -ResourceGroupName <ResourceGroupName> -Name <Name>
# Retrieves details of the functions associated with a Static Web App.
Get-AzStaticWebAppFunction -ResourceGroupName <ResourceGroupName> -Name <Name>
# Retrieves the app settings for the function app associated with a Static Web App.
Get-AzStaticWebAppFunctionAppSetting -ResourceGroupName <ResourceGroupName> -Name <Name>
# Retrieves the secrets for a Static Web App.
Get-AzStaticWebAppSecret -ResourceGroupName <ResourceGroupName> -Name <Name>
# Retrieves general app settings for a Static Web App.
Get-AzStaticWebAppSetting -ResourceGroupName <ResourceGroupName> -Name <Name>
# Retrieves user details for a Static Web App with a specified authentication provider.
Get-AzStaticWebAppUser -ResourceGroupName <ResourceGroupName> -Name <Name> -AuthProvider <AuthProvider>
# Retrieves user-provided function apps associated with a Static Web App.
Get-AzStaticWebAppUserProvidedFunctionApp -ResourceGroupName <ResourceGroupName> -Name <Name>
{% endcode %} {% endtab %} {% endtabs %}
Mifano ya kuunda Web Apps
Unaweza kupata mfano mzuri wa kuunda web app katika kiungo kinachofuata: https://learn.microsoft.com/en-us/azure/static-web-apps/get-started-portal?tabs=react&pivots=github
- Fork repository https://github.com/staticwebdev/react-basic/generate kwenye akaunti yako ya GitHub na uiite
my-first-static-web-app - Katika portal ya Azure, unda Static Web App ukichanganya ufikiaji wa Github na kuchagua repository mpya iliyoforked hapo awali
- Unda, na subiri dakika chache, na angalia ukurasa wako mpya!
Kuinua Mamlaka na Baada ya Utekelezaji
Taarifa zote kuhusu kuinua mamlaka na baada ya utekelezaji katika Azure Static Web Apps zinaweza kupatikana katika kiungo kinachofuata:
Marejeleo
- https://learn.microsoft.com/en-in/azure/app-service/overview
- https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.