Skip to content
Nuclei Templates

Azure PostgreSQL SSL Enforcement Not Enabled

ID: azure-postgresql-ssl-enforcement

Severity: high

Author: princechaddha

Tags: cloud,devops,azure,microsoft,postgresql,azure-cloud-config

Description

Section titled “Description”

Ensure that Microsoft Azure PostgreSQL server data is encrypted in transit in order to meet security and compliance requirements. In-transit encryption helps prevent unauthorized users from getting access to critical data available in your Azure PostgreSQL databases.

YAML Source

Section titled “YAML Source”
id: azure-postgresql-ssl-enforcement
info:
  name: Azure PostgreSQL SSL Enforcement Not Enabled
  author: princechaddha
  severity: high
  description: |
    Ensure that Microsoft Azure PostgreSQL server data is encrypted in transit in order to meet security and compliance requirements. In-transit encryption helps prevent unauthorized users from getting access to critical data available in your Azure PostgreSQL databases.
  impact: |
    Failure to enable SSL enforcement for PostgreSQL servers can lead to data being intercepted and read by unauthorized parties during transit, posing significant security and compliance risks.
  remediation: |
    Enable SSL enforcement on all Azure PostgreSQL servers to ensure that data is encrypted in transit and protected from unauthorized access.
  reference:
    - https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security
  tags: cloud,devops,azure,microsoft,postgresql,azure-cloud-config


flow: |
  code(1);
  for (let ServerData of iterate(template.serverList)) {
    ServerData = JSON.parse(ServerData);
    set("name", ServerData.Name);
    set("resourceGroup", ServerData.ResourceGroup);
    code(2);
  }


self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az postgres server list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'


    extractors:
      - type: json
        name: serverList
        internal: true
        json:
          - '.[]'


  - engine:
      - sh
      - bash
    source: |
      az postgres server show --name "$name" --resource-group "$resourceGroup" --query sslEnforcement


    matchers:
      - type: word
        words:
          - '"Disabled"'


    extractors:
      - type: dsl
        dsl:
          - 'name + " in " + resourceGroup + " has SSL disabled"'
# digest: 4a0a00473045022100e5427e7b91398ad0aca45dd078c4c3ed87ba54d3be73047111729f224dd429b002205fb2b264a0620eb8c481e4a63ef99c60f01f6e7b354b6abfb02cab1390d85a01:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/azure/postgresql/azure-postgresql-ssl-enforcement.yaml"

View on Github