SPA is for Single-Page Abuse! – Using Single-Page Application Tokens to Enumerate Azure

Microsoft Azure is a leading cloud provider offering technology solutions to various organizations. Single-Page Applications (SPAs) are a popular method for creating web applications, which dynamically rewrite a current web page with new data from the web server. The Azure portal is essentially a web application frontend that communicates with the Azure Graph APIs. A security assessment was conducted for a client targeting their Azure tenant, focusing on escalating privileges, improving detections, and documenting attack paths. The team encountered a one-hour expiration limit on access tokens, which led to the discovery of refresh tokens in network traffic. By using the refresh token and the origin URL, the team successfully authenticated with ROADTools and enumerated the client tenant. The workflow involves inspecting network traffic for tokens, authenticating to the Microsoft Graph API, executing collections, and reviewing the information. This process can be applied to various SPAs, including the Azure Portal and Microsoft Online Office Applications.