Skip to content
Nuclei Templates

Insecure SSL Cipher Suites in GCP Load Balancers

ID: gcloud-ssl-policy-insecure-ciphers

Severity: medium

Author: princechaddha

Tags: cloud,devops,gcp,gcloud,google-cloud-load-balancing,gcp-cloud-config

Description

Section titled “Description”

This check scans SSL policies of Google Cloud HTTPS and SSL Proxy load balancers to identify insecure cipher suites. It ensures SSL policies use TLS 1.2 with secure profiles and exclude weak ciphers.

YAML Source

Section titled “YAML Source”
id: gcloud-ssl-policy-insecure-ciphers


info:
  name: Insecure SSL Cipher Suites in GCP Load Balancers
  author: princechaddha
  severity: medium
  description: |
    This check scans SSL policies of Google Cloud HTTPS and SSL Proxy load balancers to identify insecure cipher suites. It ensures SSL policies use TLS 1.2 with secure profiles and exclude weak ciphers.
  impact: |
    Insecure cipher suites can lead to vulnerabilities, allowing attackers to decrypt or intercept data.
  remediation: |
    Ensure SSL policies use MODERN or RESTRICTED profiles, or a secure CUSTOM profile without weak ciphers.
  reference:
    - https://cloud.google.com/load-balancing/docs/ssl-policies
  tags: cloud,devops,gcp,gcloud,google-cloud-load-balancing,gcp-cloud-config


flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let proxy of iterate(template.httpsProxies)){
      set("sslPolicy", proxy.sslPolicy)
      code(4)
    }
    code(3)
    for(let proxy of iterate(template.sslProxies)){
      set("sslPolicy", proxy.sslPolicy)
      code(4)
    }
  }


self-contained: true


code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"


    extractors:
      - type: json
        internal: true
        name: projectIds
        json:
          - '.[].projectId'


  - engine:
      - sh
      - bash
    source: |
      gcloud compute target-https-proxies list --project $projectId --format="json(name,sslPolicy)"


    extractors:
      - type: json
        internal: true
        name: httpsProxies
        json:
          - '.[]'


  - engine:
      - sh
      - bash
    source: |
      gcloud compute target-ssl-proxies list --project $projectId --format="json(name,sslPolicy)"


    extractors:
      - type: json
        internal: true
        name: sslProxies
        json:
          - '.[]'


  - engine:
      - sh
      - bash
    source: |
      gcloud compute ssl-policies describe $sslPolicy --format="json(minTlsVersion,profile,enabledFeatures)"


    matchers:
      - type: word
        words:
          - 'TLS_1_0'
          - 'TLS_RSA_WITH_AES_128_GCM_SHA256'
          - 'TLS_RSA_WITH_AES_256_GCM_SHA384'
          - 'TLS_RSA_WITH_AES_128_CBC_SHA'
          - 'TLS_RSA_WITH_AES_256_CBC_SHA'
          - 'TLS_RSA_WITH_3DES_EDE_CBC_SHA'


      - type: dsl
        dsl:
          - '"Insecure SSL Policy Detected in Proxy: " + sslPolicy + " in Project: " + projectId'
# digest: 490a0046304402207fa271060d3c05012c584090bfc5fc7146cb541b9dd51961b9b67ca96e694a58022030c8337c0aa6c949067dd0a59183b425f8514bf25264388c37cf6a7be26dc649:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/gcp/loadbalancing/gcloud-ssl-policy-insecure-ciphers.yaml"

View on Github