services / Azure / Web App connection string
Connection strings of an Azure App Service web app that embed credentials for backing databases and storage services.
Connection strings by definition contain database/storage credentials (passwords, account keys, SAS tokens) returned in cleartext; credential material.
Microsoft.Web/Sites/config/web/connectionstrings/write
Creating/updating a connection string can repoint the app at an attacker-controlled data store or inject credentials, manipulating operational config and enabling lateral movement.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog