services / Azure / Azure Static Web App
An Azure Static Web App (Static Site) is a managed hosting resource that serves a public-facing static frontend with linked source-repository/CI build configuration and optional managed serverless API (Azure Functions) backend.
Asset hosts a single public-facing web application; its app settings and deployment tokens routinely contain secrets and connection strings, making secret-returning operations effectively credential disclosure.
Microsoft.Web/staticSites/resetapikey/action
Resets the deployment API key, yielding a fresh attacker-usable deployment credential while invalidating the existing key, denying legitimate operators and CI/CD pipelines deployment access.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security