Azure App Service Plain FTP Deployment Disabled
ID: azure-appservice-ftp-deployment-disabled
Severity: medium
Author: princechaddha
Tags: cloud,devops,azure,microsoft,appservice,azure-cloud-config
Description
Section titled “Description”Ensure that your Microsoft Azure App Services web applications are not configured to be deployed over plain FTP. Instead, the deployment can be disabled over FTP or performed over FTPS. FTPS (Secure FTP) is used to enhance security for your Azure web application as it adds an extra layer of security to the FTP protocol, and helps you to comply with industry standards and regulations.
YAML Source
Section titled “YAML Source”id: azure-appservice-ftp-deployment-disabledinfo: name: Azure App Service Plain FTP Deployment Disabled author: princechaddha severity: medium description: | Ensure that your Microsoft Azure App Services web applications are not configured to be deployed over plain FTP. Instead, the deployment can be disabled over FTP or performed over FTPS. FTPS (Secure FTP) is used to enhance security for your Azure web application as it adds an extra layer of security to the FTP protocol, and helps you to comply with industry standards and regulations. impact: | Using plain FTP for deployment could expose sensitive data to interception. Enabling FTPS or disabling FTP deployment ensures compliance with security best practices and regulations. remediation: | Configure the Azure App Services to disable FTP deployment or to use FTPS, ensuring encrypted and secure file transfers. reference: - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp tags: cloud,devops,azure,microsoft,appservice,azure-cloud-config
flow: | code(1); for (let WebAppId of iterate(template.webAppIds)) { set("ids", WebAppId); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az webapp list --output json --query '[*].id'
extractors: - type: json name: webAppIds internal: true json: - '.[]'
- engine: - sh - bash source: | az webapp config show --ids $ids --output json --query 'ftpsState'
matchers: - type: word words: - "AllAllowed"
extractors: - type: dsl dsl: - 'ids + " has FTP deployment enabled, which is not secure"'# digest: 490a0046304402201b0c5ab994bd0df15ea234a8ef2db2f989554b62757ab363f44040ac8361dfcc02206936ff2d8b100ab6749db8e46c398b018fb23e5f8937790e429a880ac3bca3b2:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/appservice/azure-appservice-ftp-deployment-disabled.yaml"