azure-functionapp-vnet-integration-missing: Virtual Network Integration for Azure Functions Not Enabled

日期: 2025-08-01 | 影响软件: azure functions | POC: 已公开

漏洞描述

To follow Azure networking best practices and securely access cloud resources available within your Azure Virtual Network (VNet), ensure that Virtual Network integration is enabled for your Microsoft Azure Function Apps. With Virtual Network integration, you can restrict your Function App outbound connections to specific, trusted VNets only.

PoC代码[已公开]

id: azure-functionapp-vnet-integration-missing
info:
  name: Virtual Network Integration for Azure Functions Not Enabled
  author: princechaddha
  severity: high
  description: |
    To follow Azure networking best practices and securely access cloud resources available within your Azure Virtual Network (VNet), ensure that Virtual Network integration is enabled for your Microsoft Azure Function Apps. With Virtual Network integration, you can restrict your Function App outbound connections to specific, trusted VNets only.
  impact: |
    Lack of Virtual Network integration may lead to insecure access to cloud resources, posing a security risk by allowing outbound connections to non-trusted networks.
  remediation: |
    Enable Virtual Network integration for your Azure Function Apps to secure connections to trusted Virtual Networks.
  reference:
    - https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options
  tags: cloud,devops,azure,microsoft,functionapp,azure-cloud-config

flow: |
  code(1);
  for (let AppData of iterate(template.functionApps)) {
    AppData = JSON.parse(AppData);
    set("name", AppData.name);
    set("resourceGroup", AppData.resourceGroup);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az functionapp list --output json --query '[*].{name:name, resourceGroup:resourceGroup}'

    extractors:
      - type: json
        name: functionApps
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az functionapp show --name $name --resource-group $resourceGroup --query 'siteConfig.vnetName' --output json

    matchers:
      - type: word
        words:
          - ""

    extractors:
      - type: dsl
        dsl:
          - 'name + " does not have Virtual Network Integration enabled"'
# digest: 490a004630440220778c6fde3a9c8a69d90c50b005bdd2fedea830911a8b6720ec5f08d579338dea022056111fb3c94b630566bc013b68a12237b4295a35451d07dd20a8e557ad4736f3:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/azure/functions/azure-functionapp-vnet-integration-missing.yaml