services / Azure / API Management backends
Backend entities in an Azure API Management service define the upstream services (URLs, protocols, connection and authorization configuration) that the API gateway proxies requests to.
Backends wire the gateway to internal/production services and can hold references to credential material; tampering redirects production API traffic.
Microsoft.ApiManagement/service/backends/listSecrets/action
Returns the backend's stored secret material (authorization credentials/headers used to authenticate to the upstream), enabling credential export and reuse to access the backing services.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security