services / Azure / Web App configuration
The configuration sub-resource of an App Service Web App, holding the app's runtime/site settings, app settings, and connection strings.
The control-plane Read masks secret values; the security-sensitive settings (publishing credentials, connection strings) are returned only by the separate list/Action.
Microsoft.Web/Sites/config/list/action
Explicitly returns the Web App's security-sensitive settings including publishing credentials, app settings, and connection strings; publishing credentials are a reusable deployment credential and connection strings grant access to backing data stores.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security