services / Azure / Web App hybrid connection relays
A hybrid connection relay on a Web App is an Azure Relay-backed network bridge that lets the app reach a specific backend TCP endpoint (often on-premises or in a private network) by host and port.
Configuration discloses the relay namespace and target host/port (network topology); the relay's send/listen keys are credential material retrieved via a separate listKeys action.
Microsoft.Web/Sites/hybridconnectionnamespaces/relays/listKeys/action
Returns the Azure Relay SAS send/listen access keys for the hybrid connection; an attacker exfiltrates these reusable credentials and connects to the relay to reach the backend/private/on-prem network it bridges.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security