A list of roles that can be abused during authenticated session to a subscription

Basic Authentication SCM service attack

• Microsoft.Web/sites/config/list/action
• Microsoft.Web/sites/Read

We can read the function master key and authenticate to the Kudu dashboard (also known as SCM)

Source: https://medium.com/xm-cyber/10-ways-of-gaining-control-over-azure-function-apps-7e7b84367ce6

List function master Key

• Microsoft.web/sites/host/listkeys/action
• Microsoft.web/sites/functions/read
• Microsoft.web/sites/read

Read the function master key

Source: https://medium.com/xm-cyber/10-ways-of-gaining-control-over-azure-function-apps-7e7b84367ce6

Overwrite function’s code from the Azure portal

• Microsoft.Web/sites/hostruntime/*

Change the function source code

Source: https://medium.com/xm-cyber/10-ways-of-gaining-control-over-azure-function-apps-7e7b84367ce6