daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cloud/azure/network/azure-nsg-dns-unrestricted....

57 lines
2.0 KiB
YAML
Raw Blame History

id: azure-nsg-dns-unrestricted
info:
name: Unrestricted DNS Access in Azure NSGs
author: princechaddha
severity: high
description: |
Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted inbound access on TCP and UDP port 53 to prevent DNS amplification attacks and other DNS-related threats.
impact: |
Allowing unrestricted access on TCP and UDP port 53 can make DNS servers vulnerable to various types of cyber attacks, disrupting network operations.
remediation: |
Restrict access to DNS services by configuring NSG rules to only allow trusted sources and necessary traffic on TCP and UDP port 53.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
tags: cloud,devops,azure,microsoft,nsg,azure-cloud-config
flow: |
code(1);
for (let NsgData of iterate(template.nsgdata)) {
NsgData = JSON.parse(NsgData)
set("nsg", NsgData.name)
set("resourcegroup", NsgData.resourceGroup)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az network nsg list --query '[*].{name:name, resourceGroup:resourceGroup}' --output json
extractors:
- type: json
name: nsgdata
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az network nsg rule list --nsg-name $nsg --resource-group $resourcegroup --query "[?direction=='Inbound' && access=='Allow' && (protocol=='TCP' || protocol=='UDP') && (destinationPortRange=='53')]"
matchers:
- type: word
words:
- '"sourceAddressPrefix": "*"'
- '"sourceAddressPrefix": "internet"'
- '"sourceAddressPrefix": "any"'
extractors:
- type: dsl
dsl:
- 'nsg + " has unrestricted access on TCP and UDP port 53"'
# digest: 4b0a004830460221008b8f04054777f77d5380360bc515531774a4ad7e063edabe1619fd600aad455d0221009a10b51064b5f63c339c89146773b5e3c4fc834fd4fb3d609a3387c38a2b5d2d:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink