Function/Kudu Exposure

Description

Exposed Kudu (SCM) endpoints and misconfigured Azure Functions/App Services can leak source code, app settings (including secrets), environment variables, or allow command execution. Weak publishing credentials, enabled FTP/basic auth, and missing SCM access restrictions commonly lead to exposure.

Examples

Probe SCM Endpoint

curl -I https://<app-name>.scm.azurewebsites.net/api/settings

If accessible without proper auth, settings may be exposed.

Review Access Restrictions and Publishing Profiles

az webapp config access-restriction show -g <rg> -n <app>
az webapp deployment list-publishing-profiles -g <rg> -n <app>

Remediation

Restrict SCM endpoint access (IP restrictions, private endpoints).
Secure app settings
- Avoid secrets in App Settings; use Key Vault references and managed identity.
Disable FTP/basic auth; rotate publish profiles; enforce AAD authentication for SCM and add access restrictions for the SCM site specifically.

Haxoris Wiki

Function/Kudu Exposure

Description

Examples

Probe SCM Endpoint

Review Access Restrictions and Publishing Profiles

Remediation