Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Data stealing app

This app demonstrates an attack that can be done on APIs which do not properly check for delegated/application permissions in tokens.

It acquires an access token from another Azure AD tenant to an API in that tenant. This API can be single-tenant, it does not matter.

It then calls the APIs in the CheckingScopesInApi solution, which you can find in this repo.

It does require three things:

  1. API Azure AD tenant id
  2. API identifier in Azure AD (client id or App ID URI)
  3. API URL
You can’t perform that action at this time.