daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cloud/azure/network/azure-nsg-postgresql-unrest...

57 lines
2.1 KiB
YAML
Raw Blame History

id: azure-nsg-postgresql-unrestricted
info:
name: Unrestricted PostgreSQL Database Access in Azure NSGs
author: princechaddha
severity: high
description: |
Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted inbound access on TCP port 5432, used by PostgreSQL Database Server, to prevent unauthorized database access.
impact: |
Unrestricted access on TCP port 5432 can lead to potential data breaches and unauthorized data manipulation by external parties.
remediation: |
Implement strict NSG rules to restrict access on TCP port 5432 to only trusted IPs. Consider using additional layers of security, such as VPNs or Azure Private Link, to enhance database security.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
tags: cloud,devops,azure,microsoft,nsg,azure-cloud-config
flow: |
code(1);
for (let NsgData of iterate(template.nsgdata)) {
NsgData = JSON.parse(NsgData)
set("nsg", NsgData.name)
set("resourcegroup", NsgData.resourceGroup)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az network nsg list --query '[*].{name:name, resourceGroup:resourceGroup}' --output json
extractors:
- type: json
name: nsgdata
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az network nsg rule list --nsg-name $nsg --resource-group $resourcegroup --query "[?direction=='Inbound' && access=='Allow' && protocol=='TCP' && (destinationPortRange=='5432')]"
matchers:
- type: word
words:
- '"sourceAddressPrefix": "*"'
- '"sourceAddressPrefix": "internet"'
- '"sourceAddressPrefix": "any"'
extractors:
- type: dsl
dsl:
- 'nsg + " has unrestricted access on TCP port 5432"'
# digest: 4b0a0048304602210082d11ac50ec62af3d77b185a9a81b9bf617f86ca1fccf9bbc053c4eb02bab23a022100d16c3097806e2b630ede58f2d4e13a7773465e5e962b02b1d6dc3ab2d347bd72:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink