gcloud-bucket-website-config-not-defined: Define Index Page Suffix and Error Page for Bucket Website Configuration

日期: 2025-08-01 | 影响软件: gcloud | POC: 已公开

漏洞描述

Ensure that website index (main) page suffix and error (404 not found) page are defined for your Google Cloud Storage buckets with static website configuration. Specifying these configurations ensures proper functionality and user experience for websites hosted on Cloud Storage buckets.

PoC代码[已公开]

id: gcloud-bucket-website-config-not-defined

info:
  name: Define Index Page Suffix and Error Page for Bucket Website Configuration
  author: princechaddha
  severity: high
  description: |
    Ensure that website index (main) page suffix and error (404 not found) page are defined for your Google Cloud Storage buckets with static website configuration. Specifying these configurations ensures proper functionality and user experience for websites hosted on Cloud Storage buckets.
  impact: |
    Without a defined index page suffix and error page, users may encounter broken functionality or unexpected behavior when accessing the hosted website.
  remediation: |
    Define an index page suffix (e.g., index.html) and an error page (e.g., 404.html) in the static website configuration for your Cloud Storage buckets.
  reference:
    - https://cloud.google.com/storage/docs/hosting-static-website
  tags: cloud,devops,gcp,gcloud,google-cloud-storage,website-config,static-website,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let bucketName of iterate(template.buckets)){
      set("bucketName", bucketName)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gsutil ls -p $projectId | jq -R . | jq -s .

    extractors:
      - type: json
        name: buckets
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      gsutil web get $bucketName

    matchers:
      - type: word
        words:
          - 'has no website configuration'

    extractors:
      - type: dsl
        dsl:
          - '"The bucket " + bucketName + " in project " + projectId + " does not have a valid static website configuration with both index page suffix and error page defined"'
# digest: 490a00463044022049ffbdc0ffbd2d712b035eac66821c3917c532b650ca691f6d902fdb07d2940c02200092d274e4a72f6ff4d32a0a34e8b999e5de27c1be92d6b4ffa87584fa88e960:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/storage/gcloud-bucket-website-config-not-defined.yaml

相关漏洞推荐