services / Azure / Web Apps Slots Backup configuration
An Azure App Service deployment slot is a live, addressable instance of a web/function/Logic App hosting application code, configuration (app settings, connection strings), and an assigned managed identity. Slots can be swapped into the production endpoint.
Slots host a single organizational function's production or staging workload; their configuration and managed identity make them a pivot point for code execution and lateral movement.
Microsoft.Web/Sites/slots/backup/write
Updating the slot backup configuration lets an attacker alter or disable the backup schedule/retention or redirect backups to attacker-controlled storage, undermining the app's recovery posture.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security