services / Azure / API Management API operation policies
The policy configuration (XML) applied at the API operation level on an Azure API Management gateway, controlling inbound/outbound request processing such as authentication, authorization, rate limiting, IP filtering, and backend routing.
APIM operation policy XML acts as the gateway's enforcement layer and frequently references or embeds secret material (named-value references, authorization headers, backend credentials, tokens).
Microsoft.ApiManagement/service/apis/Operations/Policies/read
Reading operation-level policy XML reveals the gateway's enforcement controls (auth, rate limits, IP filters) for reconnaissance of weak points, and the policy XML can disclose embedded secrets/credentials (named values, authorization headers, tokens).
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security