Skip to content
Nuclei Templates

Missing API Key API Restrictions

ID: gcloud-api-key-restrictions-missing

Severity: medium

Author: princechaddha

Tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config

Description

Section titled “Description”

Ensure that the usage of your Google Cloud API keys is restricted to specific APIs such as Cloud Key Management Service (KMS) API, Cloud Storage API, Cloud Monitoring API, and Cloud Logging API. All Google Cloud API keys that are being used for production applications should use API restrictions.

YAML Source

Section titled “YAML Source”
id: gcloud-api-key-restrictions-missing


info:
  name: Missing API Key API Restrictions
  author: princechaddha
  severity: medium
  description: |
    Ensure that the usage of your Google Cloud API keys is restricted to specific APIs such as Cloud Key Management Service (KMS) API, Cloud Storage API, Cloud Monitoring API, and Cloud Logging API. All Google Cloud API keys that are being used for production applications should use API restrictions.
  impact: |
    API keys without specific API restrictions can be used to access any GCP API, potentially leading to unauthorized access and misuse of resources. Implementing API restrictions helps in limiting the scope of API keys to intended services only.
  remediation: |
    Apply API restrictions to each Google Cloud API key to limit their usage to specific APIs. This can be managed through the Google Cloud Console or using the gcloud command-line tool.
  reference:
    - https://cloud.google.com/api-keys/docs/restricting-api-keys
  tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config


flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let apiKey of iterate(template.apiKeys)){
      set("apiKeyUid", apiKey)
      code(3)
    }
  }


self-contained: true


code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"


    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'


  - engine:
      - sh
      - bash
    source: |
      gcloud alpha services api-keys list --project=$projectId --format="json(uid)"


    extractors:
      - type: json
        name: apiKeys
        internal: true
        json:
          - '.[].uid'


  - engine:
      - sh
      - bash
    source: |
      gcloud alpha services api-keys describe $apiKeyUid --format="json(restrictions)"


    matchers:
      - type: word
        part: body
        words:
          - 'null'


    extractors:
      - type: dsl
        dsl:
          - '"Unrestricted API Key: " + apiKeyUid + " in Project: " + projectId'
# digest: 4b0a00483046022100b6b2f16aaed30fbe7cf6f76b17cd99ebb5394c3f78c791dd66de6d10bdbab3ab022100858dcb4e5f0139b7c9e1431d7318a4ddf89998fb7cc475285f14c0c5fb3819a0:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/gcp/api/gcloud-api-key-restrictions-missing.yaml"

View on Github