services / Azure / Web App app setting

App settings of an Azure App Service web app, injected into the running app as environment variables.

App settings routinely hold API keys, passwords, and connection secrets returned in cleartext; treated as credential material.


Microsoft.​Web/​Sites/​config/​web/​appsettings/​read

Reading a single app setting returns its cleartext value, which commonly contains secrets/credentials exportable for lateral movement to dependent systems.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​microsoft.​web
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog