services / Azure / API Management backends

Backend entities in an Azure API Management service define the upstream services (URLs, protocols, connection and authorization configuration) that the API gateway proxies requests to.

Backends wire the gateway to internal/production services and can hold references to credential material; tampering redirects production API traffic.


Microsoft.​ApiManagement/​service/​backends/​listSecrets/​action

Returns the backend's stored secret material (authorization credentials/headers used to authenticate to the upstream), enabling credential export and reuse to access the backing services.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ApiManagement
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog