Hiado: Cross-projects Repository permissions enumeration Tool for Azure DevOps
Hiado
Cross-projects Repository permissions enumeration Tool for Azure DevOps
What does Hiado do?
Hiado is a Python script that helps you enumerate information about the repositories your organization manages within Azure DevOps. Particular focus is given to the enumeration of the permissions a specific user has, these can be:
- Bypass policies when completing pull requests
- Bypass policies when pushing
- Contribute
- Contribute to pull requests
- Create branch
- Create tag
- Delete or disable the repository
- Edit policies
- Force push
- Manage permissions
- Read
- Remove others lock
- Rename repository
Hiado also supports extra checks/filter:
- the repository is used by a given pipeline
- enumeration of the “trigger” and “azureSubscription” parameters. An example output is:
How does Hiado do this?
Hiado makes use of some “undocumented” Azure DevOps APIs. These APIs are used by Azure DevOps web, hence after I spent some time proxying HTTP requests, I could figure out a chain of calls that would give me the list of the permissions an authenticated user has on a specific repository:
[pastacode lang=”markup” manual=”POST%20%2F%7BORGANIZATION%7D%2F_apis%2FContribution%2FHierarchyQuery%20HTTP%2F2%0AHost%3A%20dev.azure.com%0ACookie%3A%20UserAuthentication%3D%5B…%5D%3B%0AUser-Agent%3A%20Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20×64%3B%20rv%3A122.0)%20Gecko%2F20100101%20Firefox%2F122.0%0AAccept%3A%20application%2Fjson%3Bapi-version%3D5.0-preview.1%3BexcludeUrls%3Dtrue%3BenumsAsNumbers%3Dtrue%3BmsDateFormat%3Dtrue%3BnoArrayWrap%3Dtrue%0AAccept-Language%3A%20en-US%2Cen%3Bq%3D0.5%0AAccept-Encoding%3A%20gzip%2C%20deflate%2C%20br%0AContent-Type%3A%20application%2Fjson%0AOrigin%3A%20https%3A%2F%2Fdev.azure.com%0A%0A%7B%22contributionIds%22%3A%5B%22ms.vss-admin-web.security-view-permissions-data-provider%22%5D%2C%22dataProviderContext%22%3A%7B%22properties%22%3A%7B%22subjectDescriptor%22%3A%22%22%2C%22permissionSetId%22%3A%22%22%2C%22permissionSetToken%22%3A%22repoV2%2F%2F%22%2C%22accountName%22%3A%22%22%7D%7D%7D%7D” message=”” highlight=”” provider=”manual”/]
Install
git clone https://github.com/oldboy21/Hiado.git
cd Hiado
pip3 install -r requirements.txt
Use
The permissions can be checked against three different lists (option -ip) defined as follows:
[pastacode lang=”markup” manual=”full_permissions_list%20%3D%20%5B%0A%20%20%20%20%22Contribute%22%2C%0A%20%20%20%20%22Create%20branch%22%2C%0A%20%20%20%20%22Edit%20policies%22%2C%0A%20%20%20%20%22Manage%20permissions%22%2C%0A%20%20%20%20%22Bypass%20policies%20when%20pushing%22%2C%0A%20%20%20%20%22Bypass%20policies%20when%20completing%20pull%20requests%22%2C%0A%20%20%20%20%22Contribute%20to%20pull%20requests%22%2C%0A%20%20%20%20%22Create%20tag%22%2C%0A%20%20%20%20%22Delete%20or%20disable%20repository%22%2C%0A%20%20%20%20%22Force%20push%20(rewrite%20history%2C%20delete%20branches%20and%20tags)%22%2C%0A%20%20%20%20%22Manage%20notes%22%2C%0A%20%20%20%20%22Read%22%2C%0A%20%20%20%20%22Remove%20others’%20locks%22%2C%0A%20%20%20%20%22Rename%20repository%22%2C%0A%5D%0A%0Ainteresting_permissions_list_wide%20%3D%20%5B%0A%20%20%20%20%22Contribute%22%2C%0A%20%20%20%20%22Create%20branch%22%2C%0A%20%20%20%20%22Edit%20policies%22%2C%0A%20%20%20%20%22Manage%20permissions%22%2C%0A%20%20%20%20%22Bypass%20policies%20when%20pushing%22%2C%0A%5D%0A%0Ainteresting_permissions_list%20%3D%20%5B%0A%09%22Contribute%22%2C%20%0A%09%22Create%20branch%22%2C%20%0A%09%22Manage%20permissions%22%0A%5D” message=”” highlight=”” provider=”manual”/]
Be sure you use a valid UserAuthentication cookie, you can find it in your browser after you have successfully authenticated. Unfortunately, the “undocumented” APIs do not support authentication via PAT (personal access token)
Copyright (C) 2024 oldboy21
Source: https://github.com/oldboy21/
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
