Automating Azure App Services Token Decryption

Azure App Services has a convenient feature that allows users to add an identity provider (Entra ID, Google, etc.) to an application to allow restricting application access to specific users and domains. This is helpful when you want to have an application available over the internet, but you want to limit its public access. While there have been some previously identified issues around this feature, this part of the App Services configuration has been on NetSPI’s research radar for a while. Given the ease of accessing the encrypted token files on the App Services host, with the right RBAC role, we figured it would be great to figure out the decryption process and automate the dumping of tokens. 

Conveniently, Cody Burkard from Daze Security recently released the “Abusing Delegated Permissions via Easy Auth” blog that outlines the process we needed to use for decrypting these App Services tokens. After Cody released this blog, we had all the pieces we needed to automate that decryption process in PowerShell and include the tooling in the MicroBurst repository. This should allow us to more efficiently “borrow” application tokens during a penetration test to access App Services applications as other users. 

TL;DR

• Azure App Services supports multiple identity providers for authentication 
• Tokens generated for application sessions are stored (encrypted) on the App Services host 
• These tokens can be decrypted and used to gain access to the application as other users 
• Encrypted tokens and the decryption key are available to users with Contributor permissions on the App Services resource  
• App Registration credentials for the identity provider are also available on the resource 
• We have automated the decryption and extraction process, and added a tool to MicroBurst (Get-AzWebAppTokens) 

Automating Token Decryption 

As previously mentioned, Cody Burkard gets all the credit here for sorting out the decryption process. We will not be going into the details here, but if you want to get the full technical details, check out Cody’s blog. At the highest level, we want to gain access to the decryption key (an environmental variable) and the JSON files that store the encrypted tokens.  

The token files can be found on the App Services container file system in the following directories: 

• Linux
  /home/data/.auth/tokens 
• Windows
  C:\home\data\.auth\tokens 

The easiest way to access both items is to run operating system commands on the app services Container. Command execution can be done a number of ways, but we went with the Kudu API endpoint (/api/command) for our tooling. This endpoint supports both Azure management scoped tokens, as well as publishing profile credentials, so it has some flexibility for your level of access to the application. That said, our function only supports management tokens, so we will leave the publishing profile credentials process up to you to sort out. Additionally, this process could also be modified to make use of the Kudu VFS and ENV APIs, as an alternative to the currently coded command execution method.

The overall process for this function is pretty simple: 

• Find App Services applications configured with the Microsoft Identity Provider 
  • Out-GridView select the ones that you want to attack 
• Run operating system commands on the application containers to: 
  • Get the environmental variables 
  • Get the contents of the JSON token files 
• Decrypt the token files with the extracted key 
• Output the tokens and App Registration credentials to local files 

Usage 

The usage of the function is very simple. Get the script from the MicroBurst repo, import the function, and run it. 

ipmo .\Get-AzWebAppTokens.ps1 
Get-AzWebAppTokens -Verbose 

Please note that the verbose flag is optional, but it is helpful. Additionally, the function will create local files as output, so run it from a directory that you can write to.

It should also be noted that App Services does support multiple different Identity Providers (IDPs), and we only tested the tool against the Microsoft provider. The function does filter on a Microsoft IDP specific configuration value, so the function in its current state is unlikely to work on other IDPs. If you want to help us add flexibility to this function, we do welcome pull requests on MicroBurst.

Tool/Attack Detection and Hunting Guidance

Finally, we will be covering some detection and hunting guidance for the blue teamers in the audience. Keep in mind that an attacker may not use this specific tool, and they may also attempt to access the affected APIs without having the correct permissions. 

Get-AzWebAppTokens Detection:

Detection Opportunity #1: Running of commands via Kudu APIs
Data Source: Azure Diagnostic Log 
Detection Strategy: Signature
Detection Concept: The Azure Diagnostic Logs (“App Service Console Logs” diagnostic setting) for the “HTTP Logs” category may log the running of the command.
Detection Reasoning: The output of the action may be logged in the diagnostic log.  
Known Detection Consideration: Command execution on the container may occur through a number of different channels. This function specifically uses the Kudu APIs for execution.

It should be noted that this attack does require Contributor (or write permissions) on the App Services resource. There may be additional indicators from actions that an attacker may be taking with these permissions. Since the App Services applications run in a serverless environment, you may have additional detection challenges related to the ephemeral nature of the service.

Conclusion

Our intent with releasing this tool is to give penetration testers an easier way to automate this attack during engagements. This tooling also allows us to better emulate real world attacks that may be going on in your environment. If you’re interested in testing your current detections around dumping tokens from an App Services app, or any other Azure attacks, check out NetSPI’s Breach & Attack Simulation as a Service and Azure Cloud Penetration Testing. If you would like to suggest any improvements on the tooling, feel free to create an issue or pull request on the MicroBurst repo.