services / Azure / Web App hybrid connection relays

A hybrid connection relay on a Web App is an Azure Relay-backed network bridge that lets the app reach a specific backend TCP endpoint (often on-premises or in a private network) by host and port.

Configuration discloses the relay namespace and target host/port (network topology); the relay's send/listen keys are credential material retrieved via a separate listKeys action.


Microsoft.​Web/​Sites/​hybridconnectionnamespaces/​relays/​listKeys/​action

Returns the Azure Relay SAS send/listen access keys for the hybrid connection; an attacker exfiltrates these reusable credentials and connects to the relay to reach the backend/private/on-prem network it bridges.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​microsoft.​web
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog