Unrestricted API Key Usage
ID: gcloud-api-key-unrestricted
Severity: medium
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config
Description
Section titled “Description”Ensure that the use of Google Cloud API keys is limited to trusted and reliable hosts, HTTP referrers, or applications. An API key application restriction manages the authorization of websites, IP addresses, or Android/iOS mobile applications that can employ your API key. It is crucial that all API keys used in production employ host and application restrictions. By enforcing these restrictions, you can reduce the impact that a compromised API key can have on your applications.
YAML Source
Section titled “YAML Source”id: gcloud-api-key-unrestricted
info: name: Unrestricted API Key Usage author: princechaddha severity: medium description: | Ensure that the use of Google Cloud API keys is limited to trusted and reliable hosts, HTTP referrers, or applications. An API key application restriction manages the authorization of websites, IP addresses, or Android/iOS mobile applications that can employ your API key. It is crucial that all API keys used in production employ host and application restrictions. By enforcing these restrictions, you can reduce the impact that a compromised API key can have on your applications. impact: | API keys without restrictions can be used unrestrictedly, which might lead to unauthorized access and misuse, potentially exposing sensitive data or services. remediation: | Apply restrictions to all production API keys to specify the allowed websites, IP addresses, or mobile applications that can use each key, to mitigate potential abuse. reference: - https://cloud.google.com/docs/authentication/api-keys#restricting_api_keys tags: cloud,devops,gcp,gcloud,api-keys,gcp-cloud-config
flow: | code(1) for(let projectId of iterate(template.projectIds)){ set("projectId", projectId) code(2) for(let uid of iterate(template.uids)){ set("uid", uid) code(3) } }
self-contained: true
code: - engine: - sh - bash source: | gcloud projects list --format="json(projectId)"
extractors: - type: json name: projectIds internal: true json: - '.[].projectId'
- engine: - sh - bash source: | gcloud alpha services api-keys list --project $projectId --format="json(uid)"
extractors: - type: json name: uids internal: true json: - '.[].uid'
- engine: - sh - bash source: | gcloud alpha services api-keys describe $uid --format="json(restrictions)"
matchers: - type: word words: - 'null'
extractors: - type: dsl dsl: - '"Unrestricted API Key: " + uid + " in Project: " + projectId'# digest: 4a0a00473045022100d1751d133cbe1cb508355fb6acc6fb0d51094a8c42db864114772bfce2fd382a022022cb36fbfcf3f8b8ef22cd8a428104f85035cc421437b2e735f221396b39c224:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/api/gcloud-api-key-unrestricted.yaml"