Forum Discussion

colonel_claypoo's avatar
colonel_claypoo
Iron Contributor
Jul 24, 2023

Investigating Storm-0558 security issue?

For those that've heard, any idea how we can investigate tokens?   https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr article advises to:   Exam...
azure
colonel_claypoo's avatar
colonel_claypoo
Iron Contributor
Jul 25, 2023

The more I read about it the more I get the hunch that remediation steps can only be carried out on the app developer's side. We are customers using this, for the most part, enterprise applications/app registrations. Don't if we can do anything here at all. What do you think?

Gohulan's avatar
Gohulan
Brass Contributor
Jul 25, 2023
As customers using enterprise applications or app registrations, your control over the app's internal security mechanisms might be limited. In such cases, the responsibility for implementing remediation measures generally falls on the app developer or the service provider offering the application.
  • MarkusLosco's avatar
    MarkusLosco
    MCT
    Jul 25, 2023

    Here a short overview (azure cli):

    1.) create the list

    az ad app list --filter "(signinaudience eq 'AzureADMultipleOrgs' or signinaudience eq 'AzureADandPersonalMicrosoftAccount' or signinaudience eq 'PersonalMicrosoftAccount')" --query "[?id].{AppName:displayName, AppID:appId, ObjID:id, HomePageURL:web.homePageUrl}"

    2.) create the WebApps List

    az ad app list --filter "(signinaudience eq 'AzureADMultipleOrgs' or signinaudience eq 'AzureADandPersonalMicrosoftAccount' or signinaudience eq 'PersonalMicrosoftAccount')" --query "[?web && web.homePageUrl && contains(web.homePageUrl, 'azurewebsites.net')].{AppName:displayName, AppID:appId, ObjID:id, HomePageURL:web.homePageUrl}"

    3.) az ad app credential reset --id <appid> --append
    4.) az login --service-principal -u <appid> -p <clientsecret> --tenant <tenantid>

    5.) sometimes a Application ID URI needs to create..
    Azure Active Directory → App registrations → {your app} → Expose an API → Add "Application ID URI"

    6.) az account get-access-token --resource api://<Application ID URI>

    7.) Last go to this site and c&p your token https://jwt.io/

    8.) check your kid field

     

    sometime the cli need some times 😉

Resources