Skip to content
Nuclei Templates

Missing Certificate Transparency in Azure Key Vaults

ID: azure-keyvault-cert-transparency-missing

Severity: medium

Author: princechaddha

Tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config

Description

Section titled “Description”

Ensure that Certificate Transparency feature is enabled for all Azure Key Vault SSL/TLS certificates to adhere to web security best practices. Certificate Transparency (CT) is a new Internet standard that helps to make the Transport Layer Security (TLS) ecosystem publicly auditable.

YAML Source

Section titled “YAML Source”
id: azure-keyvault-cert-transparency-missing
info:
  name: Missing Certificate Transparency in Azure Key Vaults
  author: princechaddha
  severity: medium
  description: |
    Ensure that Certificate Transparency feature is enabled for all Azure Key Vault SSL/TLS certificates to adhere to web security best practices. Certificate Transparency (CT) is a new Internet standard that helps to make the Transport Layer Security (TLS) ecosystem publicly auditable.
  impact: |
    Without Certificate Transparency, domain owners are unaware of certificates issued to their domain unless directly requested, compromising transparency and security.
  remediation: |
    Enable Certificate Transparency for all Azure Key Vault SSL/TLS certificates through the Azure portal or Azure CLI to meet the standards enforced by the Certification Authority Browser Forum (CA/Browser Forum).
  reference:
    - https://docs.microsoft.com/en-us/azure/key-vault/certificates/how-to-enable-certificate-transparency
  tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config


flow: |
  code(1);
  for (let KeyVaultName of iterate(template.keyVaultNames)) {
    set("vaultName", KeyVaultName)
    code(2);
    for (let CertificateId of iterate(template.certificateIds)) {
      set("certificateId", CertificateId)
      code(3)
    }
  }


self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az keyvault list --query '[*].name' --output json


    extractors:
      - type: json
        name: keyVaultNames
        internal: true
        json:
          - '.[]'


  - engine:
      - sh
      - bash
    source: |
      az keyvault certificate list --vault-name $vaultName --query '[?(attributes.enabled==`true`)].id' --output json


    extractors:
      - type: json
        name: certificateIds
        internal: true
        json:
          - '.[]'


  - engine:
      - sh
      - bash
    source: |
      az keyvault certificate show --id $certificateId --query 'policy.issuerParameters.certificateTransparency' --output json


    matchers:
      - type: word
        words:
          - 'false'


    extractors:
      - type: dsl
        dsl:
          - 'vaultName + " SSL/TLS certificate " + certificateId + " does not have Certificate Transparency enabled"'
# digest: 4b0a0048304602210084865a32dc75db7bd30f7a9264d51271cdfff4d71186ddb3b250413cc97d4a23022100aa90bf74c105ca8aaf74a002aaa94058d4590b53ff443491c49cc3206bc5bddb:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/azure/keyvault/azure-keyvault-cert-transparency-missing.yaml"

View on Github