services / Azure / API Management API operation policies
The policy configuration (XML) applied at the API operation level on an Azure API Management gateway, controlling inbound/outbound request processing such as authentication, authorization, rate limiting, IP filtering, and backend routing.
APIM operation policy XML acts as the gateway's enforcement layer and frequently references or embeds secret material (named-value references, authorization headers, backend credentials, tokens).
Microsoft.ApiManagement/service/apis/Operations/Policies/write
Setting an operation policy lets an attacker strip authentication/IP-filtering/rate-limit enforcement and rewrite request/response handling to reroute backend traffic, both disabling defenses and manipulating gateway behavior.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security