f

carlospolop · carlospolop · commit c0514030e2b8 · 2026-03-02T19:05:27.000+01:00
diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md b/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
@@ -355,7 +355,7 @@ curl http://169.254.169.254/metadata/v1.json | jq
 >
 > Therefore, to find all the attached MIs you can do:
 >
-> - Get **attached identities with az cli** (if you have already compromised a principal in the Azure tenant)
+> - Get **attached identities with az cli** (if you have already compromised a principal in the Azure tenant with the permission `Microsoft.Compute/virtualMachines/read`)
 >
 > ```bash
 > az vm identity show \
@@ -386,7 +386,7 @@ curl http://169.254.169.254/metadata/v1.json | jq
 >  "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/$VM_NAME?api-version=$API_VERSION" | jq
 > ```
 >
-> - **Get all** the defined managed identities in the tenant and **brute force** to see if any of them is attached to the VM:
+> - **Get all** the defined managed identities in the tenant and **brute force** to see if any of them is attached to the VM (the permission `Microsoft.ManagedIdentity/userAssignedIdentities/read` is needed):
 >
 > ```bash
 > az identity list

Original file line number	Diff line number	Diff line change
`@@ -355,7 +355,7 @@ curl http://169.254.169.254/metadata/v1.json \| jq`
`355`	`355`	`>`
`356`	`356`	`> Therefore, to find all the attached MIs you can do:`
`357`	`357`	`>`
`358`		`-> - Get attached identities with az cli (if you have already compromised a principal in the Azure tenant)`
	`358`	+> - Get attached identities with az cli (if you have already compromised a principal in the Azure tenant with the permission `Microsoft.Compute/virtualMachines/read`)
`359`	`359`	`>`
`360`	`360`	> ```bash
`361`	`361`	`> az vm identity show \`
`@@ -386,7 +386,7 @@ curl http://169.254.169.254/metadata/v1.json \| jq`
`386`	`386`	`> "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/$VM_NAME?api-version=$API_VERSION" \| jq`
`387`	`387`	> ```
`388`	`388`	`>`
`389`		`-> - Get all the defined managed identities in the tenant and brute force to see if any of them is attached to the VM:`
	`389`	+> - Get all the defined managed identities in the tenant and brute force to see if any of them is attached to the VM (the permission `Microsoft.ManagedIdentity/userAssignedIdentities/read` is needed):
`390`	`390`	`>`
`391`	`391`	> ```bash
`392`	`392`	`> az identity list`