services / Azure / APIM workspace backend
An API Management workspace backend defines an upstream/target service (URL, protocol, credentials, TLS settings) that the API gateway proxies requests to.
Backends sit behind the gateway and often reference internal services and the credentials used to authenticate to them; controlling a backend lets an attacker influence proxied production traffic.
Microsoft.ApiManagement/service/workspaces/backends/listSecrets/action
Returns the backend's stored secret material (credentials/authorization headers/connection secrets used to authenticate to the upstream service), enabling credential exfiltration and reuse to pivot laterally into the backing service.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security