Phishing Api Keys on Azure
How Phishing Api Keys Manifests in Azure
Phishing API keys in Azure environments typically occurs through credential exposure in publicly accessible endpoints or through compromised client-side applications. Attackers often harvest keys from client-side JavaScript, mobile apps, or exposed configuration files that contain Azure API credentials. Once obtained, these keys grant unauthorized access to Azure services like Azure Storage, Cognitive Services, or Azure Functions.
A common Azure-specific pattern involves Azure Storage account keys embedded in client-side applications. Developers frequently hardcode storage account keys or SAS tokens directly into JavaScript bundles, making them trivially extractable by anyone inspecting the application. This allows attackers to upload malicious content, delete data, or incur significant costs through excessive API calls.
// Vulnerable Azure Storage usage in client-side code
const azure = require('azure-storage');
const blobService = azure.createBlobService('your-storage-account', 'your-account-key');
// This key is now exposed to every user
Another manifestation involves Azure Cognitive Services keys exposed through REST API endpoints. When these keys are included in client-side fetch requests, attackers can intercept them through network analysis or by examining source code. This grants them access to AI services, potentially allowing them to run unauthorized inference workloads or extract sensitive training data.
// Vulnerable Azure Cognitive Services usage
fetch('https://your-resource.cognitiveservices.azure.com/text/analytics/v3.1/sentiment', {
headers: {
'Ocp-Apim-Subscription-Key': 'YOUR-KEY-HERE'
}
});
Azure Function keys represent another attack surface. When HTTP-triggered functions use authLevel: 'function' but embed the function key in client requests, attackers who discover the key can invoke the function directly, bypassing any intended access controls.
Azure-Specific Detection
Detecting phishing API keys in Azure environments requires both static analysis and runtime scanning. Azure Key Vault should be used to centralize secrets, but many applications still expose keys through client-side code or configuration files.
middleBrick's Azure-specific scanning identifies exposed API keys through several mechanisms. The scanner tests for Azure Storage account keys using regex patterns that match the 64-character alphanumeric format with specific character distributions. For Cognitive Services, it identifies subscription keys in HTTP headers and request bodies.
# Scan an Azure endpoint with middleBrick
middlebrick scan https://yourapp.azurewebsites.net/api/yourfunction
The scanner also checks for Azure Function keys in HTTP requests, testing whether endpoints are protected by function keys or master keys. It attempts to invoke functions with common key patterns to verify if authentication is properly implemented.
For Azure Storage, middleBrick tests for publicly accessible containers that might indicate compromised credentials. It attempts to list blobs and enumerate container contents, which would be possible if an attacker obtained valid storage keys.
Azure-specific configuration files like local.settings.json or appsettings.json are analyzed for embedded keys. The scanner checks for Azure-specific patterns including:
- Storage account connection strings
- Cognitive Services subscription keys
- Azure Service Bus connection strings
- Event Hub connection strings
middleBrick's LLM security module also tests for prompt injection vulnerabilities in Azure OpenAI endpoints, which could allow attackers to extract system prompts or API keys through crafted inputs.
Azure-Specific Remediation
Remediating phishing API key vulnerabilities in Azure requires architectural changes to eliminate client-side credential exposure. The primary solution is using Azure Managed Identities, which provides Azure services with an automatically managed identity in Azure Active Directory.
// Secure Azure Storage access using Managed Identity
using Azure.Identity;
using Azure.Storage.Blobs;
var credential = new DefaultAzureCredential();
var blobServiceClient = new BlobServiceClient(
new Uri("https://youraccount.blob.core.windows.net"),
credential
);
For Azure Functions, implement App Service Authentication with Easy Auth or Azure AD integration rather than function keys. This eliminates the need to embed keys in client applications.
// Secure Azure Function using Easy Auth
[FunctionName("SecureFunction")]
public static async Task Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
ILogger log)
{
// Authentication handled by App Service
var user = req.HttpContext.User;
if (!user.Identity.IsAuthenticated) {
return new UnauthorizedResult();
}
return new OkObjectResult("Authenticated access");
}
For Cognitive Services, use Azure Key Vault to store and retrieve keys at runtime rather than embedding them in client code. Implement a backend API that proxies requests to Cognitive Services, keeping keys server-side only.
// Backend proxy for Cognitive Services
[ApiController]
[Route("api/cognitive")]
public class CognitiveController : ControllerBase
{
private readonly IConfiguration _config;
public CognitiveController(IConfiguration config)
{
_config = config;
}
[HttpPost("sentiment")]
public async Task AnalyzeSentiment([FromBody] Document doc)
{
var endpoint = _config["CognitiveServices:Endpoint"];
var key = _config["CognitiveServices:Key"]; // From Key Vault
using var client = new HttpClient();
client.DefaultRequestHeaders.Add("Ocp-Apim-Subscription-Key", key);
var response = await client.PostAsJsonAsync(
$"{endpoint}/text/analytics/v3.1/sentiment",
doc
);
return Ok(await response.Content.ReadAsStringAsync());
}
}
Implement Azure Monitor and Application Insights to detect anomalous API usage patterns that might indicate compromised credentials. Set up alerts for unusual request volumes or geographic access patterns that deviate from normal usage.