Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Determine risky permissions assignable from both Microsoft Graph and other APIs #1397

Closed
2 tasks done
mitchelbaker-cisa opened this issue Nov 2, 2024 · 2 comments · Fixed by #1462
Closed
2 tasks done

Determine risky permissions assignable from both Microsoft Graph and other APIs #1397

mitchelbaker-cisa opened this issue Nov 2, 2024 · 2 comments · Fixed by #1462
Assignees
@mitchelbaker-cisa
Labels
analysis-required This issue requires review or analysis work to complete
Milestone
Lionfish

Comments

@mitchelbaker-cisa
Copy link
Collaborator

mitchelbaker-cisa commented Nov 2, 2024
edited
Loading

💡 Summary

Permissions like Sites.FullControl.All are covered in both Graph and the SharePoint API. Another example is Mail.ReadWrite which is assignable from Graph and Office 365 Exchange Online.

ScubaGear should catch a risky permissions regardless if it was assigned through Graph, another API, or vice versa.

(Resource App ID is in reference to the SharePoint API)
Image

Motivation and context

Relates to the epic #1073 and ongoing work in #1327.

Implementation notes

The majority of risky API permissions in this list are pulled from MS Graph. Verify if MS Graph permissions are included as a subset in other Microsoft APIs.

Some initial APIs to investigate further:

  • SharePoint APIs
  • Office 365 Exchange Online
  • Office 365 Management APIs

Acceptance criteria

How do we know when this work is done?

  • For each API permission, determine if the permission can be assigned from other APIs. Take note of duplicate permissions in this issue.
  • Duplicates are communicated with the development team and the API permissions list is updated accordingly.
@mitchelbaker-cisa mitchelbaker-cisa mentioned this issue Oct 22, 2024
Open
4 tasks
@mitchelbaker-cisa mitchelbaker-cisa self-assigned this Nov 2, 2024
@schrolla schrolla added this to the Kraken milestone Nov 4, 2024
@mitchelbaker-cisa
Copy link
Collaborator Author

Office 365 Exchange Online:

  • User.ReadBasic.All
  • User.Read.All
  • Mail.ReadWrite
  • Mail.Send
  • MailboxSettings.Read
  • MailboxSettings.ReadWrite
  • Calendars.Read
  • Calendars.Read.All
  • Calendars.ReadWrite.All
  • Contacts.Read
  • Contacts.ReadWrite

@mitchelbaker-cisa
Copy link
Collaborator Author

mitchelbaker-cisa commented Dec 13, 2024
edited
Loading

Investigate Azure Active Directory Graph API:

Image

Overlapping permissions:

  • Application.Read.All
  • Application.ReadWrite.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • Policy.Read.All

@schrolla schrolla modified the milestones: Kraken, Lionfish Dec 19, 2024
@mitchelbaker-cisa mitchelbaker-cisa mentioned this issue Jan 24, 2025
Merged
21 tasks
@schrolla schrolla added the analysis-required This issue requires review or analysis work to complete label Feb 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mitchelbaker-cisa mitchelbaker-cisa

Labels
analysis-required This issue requires review or analysis work to complete
Projects
None yet
Milestone
Lionfish
Development

Successfully merging a pull request may close this issue.

Add high risk application/service principal permissions into ScubaResults.json cisagov/ScubaGear
2 participants
@schrolla @mitchelbaker-cisa