services / Azure / APIM workspace backend

An API Management workspace backend defines an upstream/target service (URL, protocol, credentials, TLS settings) that the API gateway proxies requests to.

Backends sit behind the gateway and often reference internal services and the credentials used to authenticate to them; controlling a backend lets an attacker influence proxied production traffic.


Microsoft.​ApiManagement/​service/​workspaces/​backends/​listSecrets/​action

Returns the backend's stored secret material (credentials/authorization headers/connection secrets used to authenticate to the upstream service), enabling credential exfiltration and reuse to pivot laterally into the backing service.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ApiManagement
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog