Category Archives: Azure API Management

Azure API Management – Fingerprinting for Reconnaissance and Leaky Headers

The first part of any penetration test or malicious activity is usually reconnaissance. OSINT Tools gather user related information. Http Fingerprinting and tooling like Maltego/Sploitego gather server based elements. At times no tooling is required to identify what management stack the API Platform is utilizing. 

One thing is clear the attack surface needs to be determined. Most professionals do want to fingerprint what server you are running, what IDS/IPS stack is protecting the artifact and in our case what is the management base for the API. 

Here is a typical response from Azure API Management.

Pragma: no-cache
Transfer-Encoding: chunked
Host: echoapi.cloudapp.net
Ocp-Apim-Subscription-Key: ******removed by me****
X-Forwarded-For: 13.75.147.245
Ocp-Apim-Trace-Location: https://apimgmtstggrqmwb9qliqj0i.blob.core.windows.net/apiinspectorcontainer/hilgmMCs8cs0digVzu3K-A2-2?sv=2015-07-08&sr=b*********
Cache-Control: no-cache
Date: Thu, 01 JAN 2017 12:59:38 GMT
X-AspNet-Version: 4.0.30319
X-Powered-By: Azure API Management - http://api.azure.com/,ASP.NET
Content-Type: application/xml
Expires: -1
 <Document>
    <vehicleType>train</vehicleType>
    <maxSpeed>125</maxSpeed>
    <avgSpeed>90</avgSpeed>
    <speedUnit>mph</speedUnit>
</Document>

Bolded in red are elements of concern.

Host: echoapi.cloudapp.net

Why does the consumer need to know the underlying API’s url? This means he now can use tooling to determine the server type and also bypass our management appliance and all the security constructs we may have added to the policies. 

X-Forwarded-For: 13.75.147.245

How about the IP of the URL we just gave you. Making things easier to bypass the security and management implemented in the management appliance.

Ocp-Apim-Subscription-Key: ******removed by me****

Here we are sending the subscription key back to the user. Not sure why, he was successful in providing it. Let’s not add more payloads with sensitive data. Needs to be removed.

X-AspNet-Version: 4.0.30319
X-Powered-By: Azure API Management - http://api.azure.com/,ASP.NET
Content-Type: application/xml

Lastly, we have the server and appliance information simply conveyed in a clear manner to the caller. This needs to be information that is not shared in such an easy manner.

A simple alteration to a policy in APIM can omit this data from being sent back to the caller. We can also add security elements at the same time since we are manipulating headers.

2 birds one stone.

  1. Remove elements that can be used to bypass and discover
  2. Augment headers for security reasons.

Lets take a look now at the response:

Pragma: no-cache
Transfer-Encoding: chunked
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny
X-Content-Type-Options: nosniff
Ocp-Apim-Trace-Location: https://apimgmtstggrqmwb9qliqj0i.blob.core.windows.net/apiinspectorcontainer/hilgmMCs8cs0digVzu3K-A2-3?sv=2015****
Cache-Control: no-cache
Date: Thu, 01 Jan 2017 13:26:58 GMT
Content-Type: application/xml
Expires: -1
 <Document>
    <vehicleType>train</vehicleType>
    <maxSpeed>125</maxSpeed>
    <avgSpeed>90</avgSpeed>
    <speedUnit>mph</speedUnit>
</Document>

Clean and not leaking data. 

TIP: use the policies in APIM to manipulate responses and not leak data about your underlying layer. Especially if you are using PAAS implementations. Where you do not want to have people bypass the appliance (SAA) of APIM Azure Api management. Dont forget to secure your channel with x509 certificates as well.