Skip to content
Nuclei Templates

Define Index Page Suffix and Error Page for Bucket Website Configuration

ID: gcloud-bucket-website-config-not-defined

Severity: high

Author: princechaddha

Tags: cloud,devops,gcp,gcloud,google-cloud-storage,website-config,static-website,gcp-cloud-config

Description

Section titled “Description”

Ensure that website index (main) page suffix and error (404 not found) page are defined for your Google Cloud Storage buckets with static website configuration. Specifying these configurations ensures proper functionality and user experience for websites hosted on Cloud Storage buckets.

YAML Source

Section titled “YAML Source”
id: gcloud-bucket-website-config-not-defined


info:
  name: Define Index Page Suffix and Error Page for Bucket Website Configuration
  author: princechaddha
  severity: high
  description: |
    Ensure that website index (main) page suffix and error (404 not found) page are defined for your Google Cloud Storage buckets with static website configuration. Specifying these configurations ensures proper functionality and user experience for websites hosted on Cloud Storage buckets.
  impact: |
    Without a defined index page suffix and error page, users may encounter broken functionality or unexpected behavior when accessing the hosted website.
  remediation: |
    Define an index page suffix (e.g., index.html) and an error page (e.g., 404.html) in the static website configuration for your Cloud Storage buckets.
  reference:
    - https://cloud.google.com/storage/docs/hosting-static-website
  tags: cloud,devops,gcp,gcloud,google-cloud-storage,website-config,static-website,gcp-cloud-config


flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let bucketName of iterate(template.buckets)){
      set("bucketName", bucketName)
      code(3)
    }
  }


self-contained: true


code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"


    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'


  - engine:
      - sh
      - bash
    source: |
      gsutil ls -p $projectId | jq -R . | jq -s .


    extractors:
      - type: json
        name: buckets
        internal: true
        json:
          - '.[]'


  - engine:
      - sh
      - bash
    source: |
      gsutil web get $bucketName


    matchers:
      - type: word
        words:
          - 'has no website configuration'


    extractors:
      - type: dsl
        dsl:
          - '"The bucket " + bucketName + " in project " + projectId + " does not have a valid static website configuration with both index page suffix and error page defined"'
# digest: 490a00463044022049ffbdc0ffbd2d712b035eac66821c3917c532b650ca691f6d902fdb07d2940c02200092d274e4a72f6ff4d32a0a34e8b999e5de27c1be92d6b4ffa87584fa88e960:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/gcp/storage/gcloud-bucket-website-config-not-defined.yaml"

View on Github