-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #11384 from projectdiscovery/missing-alibaba-templ…
…ates Alibaba OSS Templates
- Loading branch information
Showing
4 changed files
with
265 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| id: access-logoss-disabled | ||
|
|
||
| info: | ||
| name: Access Logging for OSS Buckets - Disabled | ||
| author: DhiyaneshDK | ||
| severity: medium | ||
| description: | | ||
| Disabling access logging for OSS buckets reduces the ability to monitor and audit access, increasing the risk of undetected unauthorized activity. | ||
| reference: | ||
| - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/enable-bucket-access-logging.html | ||
| - https://www.alibabacloud.com/help/en/oss/user-guide/getting-started | ||
| - https://www.alibabacloud.com/help/en/oss/user-guide/enable-logging | ||
| metadata: | ||
| max-request: 2 | ||
| verified: true | ||
| tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-oss | ||
|
|
||
| variables: | ||
| region: "cn-hangzhou" | ||
|
|
||
| flow: | | ||
| code(1) | ||
| for (let BucketName of iterate(template.bucketname)) { | ||
| set("bucket", BucketName) | ||
| code(2) | ||
| } | ||
| self-contained: true | ||
|
|
||
| code: | ||
| - engine: | ||
| - sh | ||
| - bash | ||
|
|
||
| source: | | ||
| aliyun oss ls --region $region | ||
| extractors: | ||
| - type: regex | ||
| name: bucketname | ||
| internal: true | ||
| regex: | ||
| - 'oss://([a-zA-Z0-9-]+)' | ||
|
|
||
| - engine: | ||
| - sh | ||
| - bash | ||
|
|
||
| source: | | ||
| aliyun oss logging --method get $bucket --region $region | ||
| matchers: | ||
| - type: word | ||
| words: | ||
| - '<LoggingEnabled>' | ||
| - '<TargetBucket></TargetBucket>' | ||
| condition: and | ||
|
|
||
| extractors: | ||
| - type: dsl | ||
| dsl: | ||
| - 'bucket + " Access Logging for OSS Buckets is Disabled "' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| id: limit-networkaccess-disabled | ||
|
|
||
| info: | ||
| name: Limit Network Access to Selected Networks - Disabled | ||
| author: DhiyaneshDK | ||
| severity: medium | ||
| description: | | ||
| Limit Network Access to Selected Networks in Alibaba OSS allows you to restrict access to your object storage service (OSS) to specific IP addresses or IP ranges, enhancing security by ensuring that only trusted networks can interact with your data." | ||
| reference: | ||
| - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/publicly-accessible-oss-bucket.html | ||
| - https://www.alibabacloud.com/help/en/oss/user-guide/block-public-access | ||
| metadata: | ||
| max-request: 2 | ||
| verified: true | ||
| tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-oss | ||
|
|
||
| variables: | ||
| region: "cn-hangzhou" | ||
|
|
||
| flow: | | ||
| code(1) | ||
| for (let BucketName of iterate(template.bucketname)) { | ||
| set("bucket", BucketName) | ||
| code(2) | ||
| } | ||
| self-contained: true | ||
|
|
||
| code: | ||
| - engine: | ||
| - sh | ||
| - bash | ||
|
|
||
| source: | | ||
| aliyun oss ls --region $region | ||
| extractors: | ||
| - type: regex | ||
| name: bucketname | ||
| internal: true | ||
| regex: | ||
| - 'oss://([a-zA-Z0-9-]+)' | ||
|
|
||
| - engine: | ||
| - sh | ||
| - bash | ||
|
|
||
| source: | | ||
| aliyun oss bucket-policy --method get $bucket --region $region | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| words: | ||
| - '"IpAddress":' | ||
| - '"acs:SourceIp":' | ||
| negative: true | ||
|
|
||
| - type: word | ||
| words: | ||
| - '"Principal":' | ||
| - '"Resource":' | ||
| - '"Action":' | ||
| condition: and | ||
|
|
||
| extractors: | ||
| - type: dsl | ||
| dsl: | ||
| - 'bucket + " Limit Network Access to Selected Networks is Disabled "' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| id: oos-bucket-public-access | ||
|
|
||
| info: | ||
| name: OSS Bucket Public Accessible | ||
| author: DhiyaneshDK | ||
| severity: high | ||
| description: | | ||
| Ensure that your Object Storage Service (OSS) buckets are not publicly accessible to the Internet in order to protect against unauthorized access. Allowing public, anonymous access through bucket ACLs and bucket policies gives everyone the ability to access bucket contents. | ||
| reference: | ||
| - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/publicly-accessible-oss-bucket.html | ||
| - https://www.alibabacloud.com/help/en/oss/user-guide/block-public-access | ||
| metadata: | ||
| max-request: 2 | ||
| verified: true | ||
| tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-oss | ||
|
|
||
| variables: | ||
| region: "cn-hangzhou" | ||
|
|
||
| flow: | | ||
| code(1) | ||
| for (let BucketName of iterate(template.bucketname)) { | ||
| set("bucket", BucketName) | ||
| code(2) | ||
| } | ||
| self-contained: true | ||
|
|
||
| code: | ||
| - engine: | ||
| - sh | ||
| - bash | ||
|
|
||
| source: | | ||
| aliyun oss ls --region $region | ||
| extractors: | ||
| - type: regex | ||
| name: bucketname | ||
| internal: true | ||
| regex: | ||
| - 'oss://([a-zA-Z0-9-]+)' | ||
|
|
||
| - engine: | ||
| - sh | ||
| - bash | ||
|
|
||
| source: | | ||
| aliyun oss stat $bucket --region $region | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| words: | ||
| - 'private' | ||
| negative: true | ||
|
|
||
| - type: word | ||
| words: | ||
| - 'public-read' | ||
| - 'public-read-write' | ||
| condition: or | ||
|
|
||
| extractors: | ||
| - type: dsl | ||
| dsl: | ||
| - 'bucket + " OSS Bucket is Public Accessible "' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| id: secure-transfeross-disabled | ||
|
|
||
| info: | ||
| name: Secure Transfer for OSS Buckets - Disabled | ||
| author: DhiyaneshDK | ||
| severity: medium | ||
| description: | | ||
| Disabling secure transfer (HTTPS) for OSS buckets exposes data to potential interception. It is recommended to enable HTTPS to ensure encrypted communication and data security. | ||
| reference: | ||
| - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-OSS/enable-secure-transfer.html | ||
| - https://www.alibabacloud.com/help/en/oss/user-guide/use-bucket-policy-to-grant-permission-to-access-oss/ | ||
| metadata: | ||
| max-request: 2 | ||
| verified: true | ||
| tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,alibaba-oss | ||
|
|
||
| variables: | ||
| region: "cn-hangzhou" | ||
|
|
||
| flow: | | ||
| code(1) | ||
| for (let BucketName of iterate(template.bucketname)) { | ||
| set("bucket", BucketName) | ||
| code(2) | ||
| } | ||
| self-contained: true | ||
|
|
||
| code: | ||
| - engine: | ||
| - sh | ||
| - bash | ||
|
|
||
| source: | | ||
| aliyun oss ls --region $region | ||
| extractors: | ||
| - type: regex | ||
| name: bucketname | ||
| internal: true | ||
| regex: | ||
| - 'oss://([a-zA-Z0-9-]+)' | ||
|
|
||
| - engine: | ||
| - sh | ||
| - bash | ||
|
|
||
| source: | | ||
| aliyun oss bucket-policy --method get $bucket --region $region | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| words: | ||
| - '"acs:SecureTransport":' | ||
| negative: true | ||
|
|
||
| - type: word | ||
| words: | ||
| - '"Resource":' | ||
| - '"Principal":' | ||
| condition: and | ||
|
|
||
| extractors: | ||
| - type: dsl | ||
| dsl: | ||
| - 'bucket + " Secure Transfer for OSS Buckets "' |