Pentesting PowerApps
Sources from these notes
Powerapp falls into the category of a No-code/Low-code solution. PowerApps is the Microsoft solution for developing applications (app is built in a powerapp environment that takes care of everything needed for your code to be run everywhere).
PowerApp enables your application to connect to anything and have a great deal of customizing features.
Power Apps developed in the Power Platform environment and published for use by internal and external users are often critical to the organization.
They enable key business processes, leverage and interface with highly sensitive business data and integrate with multiple data source and applications, consequently becoming the gateway from the cloud to the most sensitive business applications of the organization.
Basics on PowerApps
Power Apps is a collection of services, apps, and connectors that work together to let you do much more than just view your data. You can act on your data and update it anywhere and from any device.
Power Apps Home Page: If you are building an app, you'll start with the Power Apps Home Page. You can build apps from sample apps, templates, or a blank screen.
Power Apps Studio: Power Apps Studio is where you can fully develop your apps to make them more effective as a business tool and to make them more attractive:
- Left pane - Shows a hierarchical view of all the controls on each screen or a thumbnail for each screen in your app.
- Middle pane - Shows the canvas app that you're working on.
- Right pane - Where you set options such as the layout, properties, and data sources for certain controls.
Microsoft Power Platform admin center: Microsoft Power Platform admin center is the centralized place for managing Power Apps for an organization. On this site, you can define and manage different environments to house the apps. For example, you might have separate environments for development and production apps. Additionally, you can define data connections and manage environment roles and data policies.
Simple data application
You just need to connect a spreadsheet with a table. What you connect is the table. PowerApps synchronizes your application by adding an id column to the table in your spreadsheet.
Your new app will have three components:
- Listing page screen.
- Details screen
- CRUE operations on records: Edit record, Add new record, Delete record.
Each item/record corresponds with a row from your connected spreadsheet. Galleru is a representation of a list of records that's pulling from a connected table.
Saving the application: by default Microsoft will safe your app, but for that to happen you first need it to save it for the first time.
Tree view displays all the screen of your application. Under the screen level you have the elements that compose your screen. Elements can have sub elements.
Properties
Elements have properties. Properties can be set statically or dynamically. Dynamically set properties open the door for users updating values or things like resizing elements based on height, for instance.
# This references to the connected spreadsheet column name
ThisItem.HeadingColumnName
# This will reference to the value inserted in that element.
NameofElement.Default
Additionally, you have formatting functions, like for instance the Text function, that can be applied to a property (dynamically or statically established).
# Format element to mm/dd/yyyy
Text(ThisItem.HeadingColumnName, "mm/dd/yyyy" )
# Concatenate elements
Concatenate (ThisItem.HeadingColumnName, ThisItem.HeadingColumnName2)
# For instance: Concatenate (ThisItem.FirsName, ThisItem.LastName)
Concatenate (NameofElement.Default, NameofElement2.Default)
# For instance: Concatenate (First_Name_Card.Default, Last_Name_Card.Default)
A data card has a property called UPDATE. This is useful in forms or user input, in which what you finally submit to the database is not their input but the result of that input after the UPDATE transformation has taken place.
Basically what happens is when you click the check mark, what it's basically doing is it's using the update property of each of the data cards here, and actually submitting it to the underlying data itself.
More properties:
- DisplayMode. This can be set to View, Edit... You can granularly set the property of an element to View (so no edition is possible). Or you can set that property for their parent.
Triggers
Elements have properties and triggers. Triggers is an action that an user perform on an element. They are quite similar to those actions called in javascript (onload, onselect,...).
Configuring a triggers: you basically select an element (button), set the action you want (onclick) and the function you want to assign it (submit). You can separate actions with ";".
Triggers help you build the functionality of your application. For instance, in this basic app, navigation from one screen to another is actioned with a Navigate trigger. Or, for instance, starting the application is a trigger itself.
Formulas and functions
Formula Reference for PowerApps
Canvas application
Building an application from scratch.
A common practice, to have a master screen and a document screen: First thing you do is creating a master screen that will be used as a template for the rest of your screens in your application. The second thing you will do is creating a screen named Documentation. Master screen will be to create elements in your app. Documentation will be for assigning style to those elements. Master screen elements will reference Document screen.
Variables in Powerapps are different from variables in programmed languages. There 3 types:
- Contextual variables: Variables is only active when you are on the screen.
- Global variables: they are accessible from all screens in the application.
- Collection variables.
How to set up a contextual variable. Select an element in the screen. Select "OnSelect" and add the function:
UpdateContext({FirstNumber: TextInput.Text})
# When you select an element, for instance an input field, it will create a variable called FirstNumber and it will assign it the value of the input field that you have selected
How to set up a global variable. By using the SET function
Collections variable are useful for datatables and galleries.
Example. Create a button and OnSelect that button add this function:
Collect(OurCollection, {First: "Ben", Second: "Dover"})
# that it's creating a collection called our collection. It's creating two columns in that. The first column is called first. The second column is called second. And the first record in the first column is Ben, and the first record in the second column is called Dover.
Create a Gallery, and as Data source, add your collection. This way everytime you click on that button you will be adding "Ben" and "Dover" as a card to that gallery. Of course you can substitute those two static texts to references to inputs fields:
To remove an item from a collection, add a icon-button for removing and onSelect:
Filtering cards displayed in a gallery. Select the Gallery, onSelect:
Search(NameOfTable, <ElementToSearch>, <WhichColumnsSearchinTable>)
# For example, to display all cards in connected table "Table1":
Search(Table1, "", "FirstName")
# To make it dependable on user's input, create an input field and
Search(Table1, TexInput1.Text, "FirstName", "LastName", "Location")
Only show the search input if someone click on the search icon.
- Set the Input search box default visibility to False.
-
Insert a magnifier icon. OnSelect:
-
Modify the search input field. When Visible:
To trigger SearchVisible to false (and hide search input field), we will modify the magnifier icon, onSelect:
```
UpdateContext({SearchVisible: !SearchVisible})
```
More interesting formulas is Filter
# An example of a multi-layered built function, with Filter and Search functionality. Create a dropdown menu > Items
Filter(Search(Table1, TexInput1.Text, "FirstName", "LastName", "Location"), VIPLevel = Dropdown.Selected.Value)
And also SubmitForm, which aggregates all the updates in a form control and submits the form.
Well-known vulnerabilities (under build)
Data exposure
https://rencore.com/en/blog/how-to-prevent-the-next-microsoft-power-apps-data-leak-from-happening
From https://dev.to/wyattdave/ive-just-been-hacked-by-a-power-app-1fj4
Not using Service accounts
The security issue is all around how the Power Platform handles credentials, with each user/owner signing in and storing their credentials in connections. Meaning that if you share a flow created with your user, your are sharing your connections (aka credentials).
One way to prevent this issue is by using service accounts.
Sharing flows
If you need to share a flow:
- Use send a copy or
- share a flow as a run only user (as that requires their credentials).
Configuring connections to the least privilege
When configuring a flow, don't include additional unnecessary connections in any flow. As per Powerapps works, this situation may happen:
A connection set to the highest privilege (you share read calendar and you give write access to emails).
A wa This has its strengths, as all credentials are securely stored and accessing apps/ running flows is easy as the Power Platform handles everything. The problem comes when you share flows, as what you might not realise is you are sharing your connections (aka credentials) with that user. They may not be able to see your credentials, but that doesn't mean they cant use them in a way that you didn't want. And what's worse is there is no granularity in connections, so an Outlook connection used for reading events can be used to delete emails.
Protecting PowerApps with Microsoft Sentinel
As Power Platform is part of the Microsoft offering, Microsoft Sentinel adresses many security issues:
- Collect Microsoft Power Platform and Power Apps activity logs, audits, and events into the Microsoft Sentinel workspace.
- Detect execution of suspicious, malicious, or illegitimate activities within Microsoft Power Platform and Power Apps.
- Investigate threats detected in Microsoft Power Platform and Power Apps and contextualize them with additional user activities across the organization.
- Respond to Microsoft Power Platform-related and Power Apps-related threats and incidents in a simple and canned manner manually, automatically, or via a predefined workflow.
Data connectors for Microsoft Sentinels
| Connector Name | Covered Logs / Inventory |
| Power Platform Inventory (using Azure Functions) | Power Apps and Power Automate inventory data |
| Microsoft Power Apps (Preview) | Power Apps activity logs |
| Microsoft Power Automate (Preview) | Power Automate activity logs |
| Microsoft Power Platform Connectors (Preview) | Power Platform connector activity logs |
| Microsoft Power Platform DLP (Preview) | Data loss prevention activity logs |
| Dynamics365 | Dataverse and model-driven apps activity logging |
Sentinel rules for protecting PowerApps platform:
| Rule name | What does it detect? |
| PowerApps - App activity from unauthorized geo | Identifies Power Apps activity from countries in a predefined list of unauthorized countries. |
| PowerApps - Multiple apps deleted | Identifies mass delete activity where multiple Power Apps are deleted within a period of 1 hour, matching a predefined threshold of total apps deleted or app deletes events across multiple Power Platform environments. |
| PowerApps - Data destruction following publishing of a new app | Identifies a chain of events where a new app is created or published, that is followed by mass update or delete events in Dataverse within 1 hour. The incident severity is raised if the app publisher is on the list of users in the TerminatedEmployees watchlist template. |
| PowerApps - Multiple users accessing a malicious link after launching new app | Identifies a chain of events, where a new Power App is created, followed by multiple users launching the app within the detection window and clicking on the same malicious URL. |
| PowerAutomate - Departing employee flow activity | Identifies instances where an employee who has been notified or is already terminated creates or modifies a Power Automate flow. |
| PowerPlatform - Connector added to a Sensitive Environment | Identifies occurrences of new API connector creations within Power Platform, specifically targeting a predefined list of sensitive environments. |
| PowerPlatform - DLP policy updated or removed | Identifies changes to DLP policy, specifically policies which are updated or removed. |
Attacks
Install m365 CLI.
Ennumeration techniques
Get information about the default Power Apps environment.
List Microsoft Power Apps environments in the current tenant
List all available apps for that user
List all apps in an environment as Admin
Remove an app
Removes the specified Power App without confirmation
Removes the specified Power App you don't own
m365 pa app remove --name 00000000-0000-0000-0000-000000000000 --environmentName Default- 00000000-0000-0000-0000-000000000000 --asAdmin
Add an owner without removing the old one
m365 pa app owner set --environmentName 00000000-0000-0000-0000-000000000000 --appName 00000000-0000-0000-0000-000000000000 --userId 00000000-0000-0000-0000-000000000000 --roleForOldAppOwner CanEdit
Export an app
m365 pa app export --environmentName 00000000-0000-0000-0000-000000000000 --name 00000000-0000-0000-0000-000000000000 --packageDisplayName "PowerApp" --packageDescription "Power App Description" --packageSourceEnvironment "Pentesting" --path ~/Documents