Skip to content

AZT601.4 - Steal Managed Identity JsonWebToken: Function Application JWT GET Request#

If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity's JWT.

Resource

Function App

Actions

  • Microsoft.Web/sites/Write
  • Microsoft.web/sites/functions/action
  • Microsoft.web/sites/functions/write

Examples

Update-AzFunctionApp

az functionapp update

functionappmi

Detections

Logs#

Data Source Operation Name Action Log Provider
Azure Active Directory Update website Microsoft.Web/sites/write AzureAD Audit Logs
Azure Active Directory Start Web App Microsoft.Web/sites/start/action AzureAD Audit Logs

Additional Resources

https://docs.microsoft.com/en-us/azure/azure-functions/functions-overview