azure-storage-queue-logging-disabled: Azure Storage Queue Logging Not Enabled

日期: 2025-08-01 | 影响软件: Azure Storage Queue | POC: 已公开

漏洞描述

Ensure that Microsoft Azure Storage Queue service logging is enabled for read, write, and delete requests. The Storage Queue service records details of both successful and failed requests, including end-to-end latency, server latency, and authentication information, which is crucial for security and compliance.

PoC代码[已公开]

id: azure-storage-queue-logging-disabled
info:
  name: Azure Storage Queue Logging Not Enabled
  author: princechaddha
  severity: high
  description: |
    Ensure that Microsoft Azure Storage Queue service logging is enabled for read, write, and delete requests. The Storage Queue service records details of both successful and failed requests, including end-to-end latency, server latency, and authentication information, which is crucial for security and compliance.
  impact: |
    Not enabling logging for Azure Storage Queue can result in insufficient data for auditing and lack of visibility into access patterns, potentially leading to unauthorized access and data breaches.
  remediation: |
    Enable logging for read, write, and delete requests in Azure Storage Queue service to ensure compliance and improve security monitoring.
  reference:
    - https://docs.microsoft.com/en-us/azure/storage/queues/storage-queues-introduction
  tags: cloud,devops,azure,microsoft,storage-queue,azure-cloud-config

flow: |
  code(1);
  for (let StorageAccount of iterate(template.storageAccounts)) {
    StorageAccount = JSON.parse(StorageAccount);
    set("name", StorageAccount.Name);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az storage account list --query '[*].{"Name":name}'

    extractors:
      - type: json
        name: storageAccounts
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az storage logging show --services q --account-name "$name" --output json

    matchers:
      - type: word
        words:
          - '"delete": false'
          - '"read": false'
          - '"write": false'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - 'name + " does not have logging enabled for delete, read, or write actions."'
# digest: 4a0a0047304502202d8d3c62b45b247ed11871f2345f33e073717dfee1c5b3e4d2fdb6d6a4d49c7d022100aa6fb9ae42fd21b1c5a33bc26761632a1b1a036534ab24aabe667d57b91f3875:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/azure/storageaccounts/azure-storage-queue-logging-disabled.yaml