admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-10 12:43:29 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
e2e9901bf9ec94de03e5ed7490847aac0ccbc598
nuclei-templates/cloud/azure/apimanagement/azure-apim-https-enforcement-missing.yaml
Prince Chaddha ea7a5969c8 Revert "chore: update TemplateMan 🤖" 
This reverts commit c31d574176.
2025-05-27 10:39:47 +08:00

82 lines
2.4 KiB
YAML
Raw Blame History

id: azure-apim-https-enforcement-missing
info:
name: Azure API Management HTTPS Enforcement Not Configured
author: princechaddha
severity: high
description: |
Ensure that your Azure API Management APIs are configured to enforce HTTPS for all API calls in order to provide secure, encrypted communication, protect data integrity, user privacy, and comply with industry standards.
impact: |
Failure to enforce HTTPS can expose API calls to interception and manipulation, potentially leading to data breaches and compliance issues.
remediation: |
Configure all Azure API Management APIs to enforce HTTPS by setting the URL scheme to "https" only in the API settings.
reference:
- https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-secure-backend
tags: cloud,devops,azure,microsoft,apim,azure-cloud-config
flow: |
code(1);
for (let Service of iterate(template.serviceList)) {
Service = JSON.parse(Service);
set("servicename", Service.name);
set("resourcegroup", Service.resourceGroup);
code(2);
for (let Api of iterate(template.apiList)) {
set("apiid", Api);
code(3);
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az apim list --output json --query '[*].{name:name, resourceGroup:resourceGroup}'
extractors:
- type: json
name: serviceList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az apim api list -g $resourcegroup -n $servicename --query '[].name'
extractors:
- type: json
name: apiList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az apim api show --api-id "$apiid" --service-name $servicename --resource-group $resourcegroup --query 'protocols'
matchers-condition: and
matchers:
- type: word
words:
- "https"
- type: word
words:
- "http"
negative: true
extractors:
- type: dsl
dsl:
- '"Service: " + service-name + " API: " + api-id + " does not enforce HTTPS exclusively"'
- type: dsl
dsl:
- stderr
# digest: 4a0a00473045022100ecd14044f77810e641f5b4aa6a0a522e34cd8baa64795b617790ab11d14b657502203a2e97c1b014ee18c5c0456a99edb46a0769507b5c03a61857e99082d85fb547:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink