azure-storage-table-logging-disabled: Azure Storage Table Logging Not Enabled

漏洞描述

Ensure that Azure Storage Table service logging is enabled for read, write, and delete requests. The Azure Storage Table service stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage logging is performed server-side and allows details for both successful and failed requests to be recorded in the associated storage account.

PoC代码[已公开]

id: azure-storage-table-logging-disabled
info:
  name: Azure Storage Table Logging Not Enabled
  author: princechaddha
  severity: medium
  description: |
    Ensure that Azure Storage Table service logging is enabled for read, write, and delete requests. The Azure Storage Table service stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage logging is performed server-side and allows details for both successful and failed requests to be recorded in the associated storage account.
  impact: |
    Failing to enable logging for the Azure Storage Table service can prevent tracking of successful and failed requests, impacting auditing and troubleshooting capabilities.
  remediation: |
    Enable logging for read, write, and delete requests in the Azure Storage Table service through the Azure portal or using the Azure CLI.
  reference:
    - https://docs.microsoft.com/en-us/azure/storage/tables/table-storage-overview
  tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config

flow: |
  code(1);
  for (let AccountData of iterate(template.accountList)) {
    AccountData = JSON.parse(AccountData);
    set("name", AccountData.Name);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az storage account list --query '[*].{"Name":name}'

    extractors:
      - type: json
        name: accountList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az storage logging show --services t --account-name "$name" --output json

    matchers:
      - type: word
        words:
          - '"delete": false'
          - '"read": false'
          - '"write": false'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - 'name + " has logging for read, write, delete not enabled"'
# digest: 4a0a00473045022100d43341b6ed0d2768bc04ef8251e04b7f8d64a5bbe0f666146a2f6fd150fcf38a022007ba1b60438a19a01d8225a91d51b4814c6d758b1b56f68964875cc1b874fd36:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/azure/storageaccounts/azure-storage-table-logging-disabled.yaml