gcloud-api-keys-inactive-services: API Keys Should Only Exist for Active Services

日期: 2025-08-01 | 影响软件: gcloud | POC: 已公开

漏洞描述

Ensure that your Google Cloud projects are using the standard authentication flow as the preferred method for authentication, rather than relying on API keys. API keys are simple encrypted strings that can be used when calling certain APIs which don't need to access private user data. API keys should be exclusively employed for active services when alternative authentication methods are not accessible, otherwise deleted.

PoC代码[已公开]

id: gcloud-api-keys-inactive-services

info:
  name: API Keys Should Only Exist for Active Services
  author: princechaddha
  severity: low
  description: |
    Ensure that your Google Cloud projects are using the standard authentication flow as the preferred method for authentication, rather than relying on API keys. API keys are simple encrypted strings that can be used when calling certain APIs which don't need to access private user data. API keys should be exclusively employed for active services when alternative authentication methods are not accessible, otherwise deleted.
  impact: |
    Using API keys for inactive services can expose your applications to unnecessary security risks. It is advisable to employ standard authentication methods and ensure that API keys are used judiciously and only for active services.
  remediation: |
    Review and ensure that API keys are only configured for active services. Delete or disable API keys associated with inactive or unnecessary services to minimize security risks.
  reference:
    - https://cloud.google.com/docs/authentication/api-keys
  tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud alpha services api-keys list --project=$projectId --format="json(uid)"

    matchers:
      - type: word
        words:
          - 'uid'

    extractors:
      - type: json
        name: uid
        internal: true
        json:
          - '.[].uid'

      - type: dsl
        dsl:
          - '"Inactive API Key found: UID: " + uid + " in Project: " + projectId'
# digest: 490a0046304402207d9636d01e08f534fa218db024859e2229a20f9545b6dda783fb652284e64785022049b4893759d0e724f60c748db1d8d00f7499c3830638f2d6d16bdd41043ee5e9:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/api/gcloud-api-keys-inactive-services.yaml

相关漏洞推荐