admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-02 08:43:27 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
ba03e54063a94de8155adf476dc07e5b39bca341
nuclei-templates/cloud/gcp/api/gcloud-api-key-unrestricted.yaml
Prince Chaddha ea7a5969c8 Revert "chore: update TemplateMan 🤖" 
This reverts commit c31d574176.
2025-05-27 10:39:47 +08:00

72 lines
2.3 KiB
YAML
Raw Blame History

id: gcloud-api-key-unrestricted
info:
name: Unrestricted API Key Usage
author: princechaddha
severity: medium
description: |
Ensure that the use of Google Cloud API keys is limited to trusted and reliable hosts, HTTP referrers, or applications. An API key application restriction manages the authorization of websites, IP addresses, or Android/iOS mobile applications that can employ your API key. It is crucial that all API keys used in production employ host and application restrictions. By enforcing these restrictions, you can reduce the impact that a compromised API key can have on your applications.
impact: |
API keys without restrictions can be used unrestrictedly, which might lead to unauthorized access and misuse, potentially exposing sensitive data or services.
remediation: |
Apply restrictions to all production API keys to specify the allowed websites, IP addresses, or mobile applications that can use each key, to mitigate potential abuse.
reference:
- https://cloud.google.com/docs/authentication/api-keys#restricting_api_keys
tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config
flow: |
code(1)
for(let projectId of iterate(template.projectIds)){
set("projectId", projectId)
code(2)
for(let uid of iterate(template.uids)){
set("uid", uid)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud projects list --format="json(projectId)"
extractors:
- type: json
name: projectIds
internal: true
json:
- '.[].projectId'
- engine:
- sh
- bash
source: |
gcloud alpha services api-keys list --project $projectId --format="json(uid)"
extractors:
- type: json
name: uids
internal: true
json:
- '.[].uid'
- engine:
- sh
- bash
source: |
gcloud alpha services api-keys describe $uid --format="json(restrictions)"
matchers:
- type: word
words:
- 'null'
extractors:
- type: dsl
dsl:
- '"Unrestricted API Key: " + uid + " in Project: " + projectId'
# digest: 4a0a00473045022100d1751d133cbe1cb508355fb6acc6fb0d51094a8c42db864114772bfce2fd382a022022cb36fbfcf3f8b8ef22cd8a428104f85035cc421437b2e735f221396b39c224:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink