Add validation for Azure api

martinvw · Sep 23, 2023 · 22a08a9 · 22a08a9
1 parent 33540e9
commit 22a08a9
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/subdomain_takeover_tools/confirm_azure_api_management.py b/subdomain_takeover_tools/confirm_azure_api_management.py
@@ -0,0 +1,47 @@
+import requests
+from azure.identity import DefaultAzureCredential
+
+from subdomain_takeover_tools.helper.main import bootstrap, settings
+from subdomain_takeover_tools.helper.prepare import resolve_cname
+
+EDGE_CDN = '.azure-api.net'
+
+credential = DefaultAzureCredential()
+
+session = requests.Session()
+(token, _) = credential.get_token('https://management.azure.com/.default')
+session.headers['Authorization'] = "Bearer " + token
+url = "https://management.azure.com/api/invoke"
+
+
+def is_valid(hostname, cname):
+    if hostname == cname:
+        cname = resolve_cname(hostname)
+
+    if cname is None:
+        return False
+
+    return confirm_azure_edge_cdn(cname)
+
+
+def confirm_azure_edge_cdn(cname):
+    try:
+        if cname.count('.') == 2 and EDGE_CDN in cname:
+            dns_prefix = cname.replace(EDGE_CDN, '')
+            result = session.post(url, json={'name': dns_prefix, 'type': 'Microsoft.ApiManagement/service'}, headers={
+                "X-Ms-Path-Query":
+                    "/subscriptions/" + settings['azure']['subscription_id']
+                    + "/providers/Microsoft.ApiManagement/checkNameAvailability?api-version=2022-09-01-preview"
+            })
+            return result.json()['nameAvailable']
+    except KeyError:
+        pass
+    return False
+
+
+def main():
+    bootstrap(is_valid)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/subdomain_takeover_tools/confirm_takeover.py b/subdomain_takeover_tools/confirm_takeover.py
@@ -4,6 +4,7 @@
 from subdomain_takeover_tools.confirm_azure_app_service import is_valid as azure_app_service_is_valid
 from subdomain_takeover_tools.confirm_azure_edge_cdn import is_valid as azure_edge_cdn_is_valid
 from subdomain_takeover_tools.confirm_azure_traffic_manager import is_valid as azure_traffic_manager_is_valid
+from subdomain_takeover_tools.confirm_azure_api_management import is_valid as azure_api_managment_is_valid
 from subdomain_takeover_tools.confirm_bigcartel import is_valid as bigcartel_is_valid
 from subdomain_takeover_tools.confirm_cargo import is_valid as cargo_is_valid
 from subdomain_takeover_tools.confirm_elb import is_valid as elb_is_valid
@@ -73,6 +74,8 @@ def _perform_check(service, target, domain):
             return azure_edge_cdn_is_valid(domain, target)
         elif target.endswith('trafficmanager.net'):
             return azure_traffic_manager_is_valid(domain, target)
+        elif target.endswith('azure-api.net'):
+            return azure_api_managment_is_valid(domain, target)
         elif target.endswith('cloudapp.azure.com'):
             # for now, we assume cloudapp is vulnerable
             return True