H3-2026-0032¶
Azure App Service SCM/Kudu Basic Authentication Enabled
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 7.1 |
Description¶
This weakness arises when the Azure App Service has basic authentication enabled for the SCM (Source Control Management)/Kudu deployment engine. The SCM site provides access to deployment tools, application logs, file system, console access, and source control management. Basic authentication uses simple username/password credentials that are vulnerable to brute-force attacks, credential stuffing, and interception. For stronger security, Azure AD (Active Directory) authentication should be used instead.
Impact¶
Basic authentication to the SCM site enables attackers to brute-force deployment credentials, gaining access to: application source code and configuration files, deployment history and secrets, file system with write access, debug console for command execution, and application logs containing sensitive data. Compromised SCM access can lead to complete application takeover and persistent backdoor installation.
References¶
- Microsoft Docs: Disable basic authentication in App Service deployments
- Microsoft Docs: Kudu service overview
- Microsoft Docs: Security recommendations for App Service
- CWE-307: Improper Restriction of Excessive Authentication Attempts
- CWE-521: Weak Password Requirements
- MITRE ATT&CK Technique: T1110: Brute Force
- MITRE ATT&CK Technique: T1078: Valid Accounts