catalog logoThe IAM Privilege Catalog

services / Google Cloud / Identity Aware Proxy web services resource type.

Refers to a particular IAP secured web service.

IAP is used to control access to cloud services. Changes to IAP related settings could remove access from mission-critical applications or grant an attacker access to sensitive resources.

iap.​webServices.​updateSettings

Allows an attacker to update settings related to IAP. There is a risk of dos if an attacker removes any settings that are essential for authentication such as which domains are allowed access the app. There is another setting that allows for creation of a custom Access Denied page. This creates a risk of hijack or defacement where an attacker could put up a page of their own.

Risks

  1. Defacement (HIGH)
  2. Denial-of-service (HIGH)
  3. Network destruction (HIGH)
  4. Resource hijacking (MEDIUM)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​iap/​docs/​customizing
  • https:​/​/​cloud.​google.​com/​iap/​docs/​reference/​rest
  • https:​/​/​cloud.​google.​com/​iap/​docs/​reference/​rest/​v1/​IapSettings
  • https:​/​/​cloud.​google.​com/​iap/​docs/​configuring-​reauth

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog