Red Team: Finding Single Page Applications with Secrets

Using Microsoft Graph to find Single Page Applications (SPAs) with defined credentials.

It is discouraged to associate SPA applications with Passwords or Certificate credentials. SPA’s are readable in the web browser. Exposed secrets can allow malicious actors to sign in and act as your application, granting all of the application permissions that are assigned.

PowerShell

Connect-MgGraph -Scopes @('Application.Read.All')

$allApplications = Get-MgApplication -All -PageSize 999
$allApplicationsWithPasswords = $allApplications | Where-Object { $_.PasswordCredentials -ne $null }
$allSpaApplicationsWithPasswords = $allApplicationsWithPasswords `
| Where-Object { $_.Spa.RedirectUris.Count -ne 0 }

Dependencies

Microsoft Graph SDK for PowerShell

Install-Module Microsoft.Graph -AllowClobber -Force

Connect-MgGraph

Using the Microsoft Graph Command Line Tools Enterprise Application:

Connect-MgGraph -Scopes @('')

Using an existing Access Token:

Connect-MgGraph -AccessToken (ConvertTo-SecureString 'ey..' -AsPlainText -Force)

Using an Application Registration (Platform: Mobile and desktop applications, redirect http://localhost):

Connect-MgGraph -ClientId 'abc..' -TenantId 'abc..'

Using a ClientId and Secret (Password):

$tenantId = ''
$clientId = ''
$secret = ConvertTo-SecureString '' -AsPlainText -Force
$secretCredential = New-Object System.Management.Automation.PSCredential ($clientId, $secret)
$params = @{
    'SecretCredential' = $secretCredential
    'TenantId'         = $tenantId
}
Connect-MgGraph @params