Website with Client Certificate Auth Disabled
- Query id: 92302b47-b0cc-46cb-a28f-5610ecda140b
- Query name: Website with Client Certificate Auth Disabled
- Platform: AzureResourceManager
- Severity: Medium
- Category: Networking and Firewall
- CWE: 287
- URL: Github
Description¶
'Microsoft.Web/sites' should have client certificate authentication enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - bicep file
resource webSite 'Microsoft.Web/sites@2020-12-01' = {
name: 'webSite'
location: 'location1'
tags: {}
properties: {
enabled: true
}
}
Positive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true
},
"resources": []
}
],
"outputs": {}
}
Positive test num. 3 - bicep file
resource webSite 'Microsoft.Web/sites@2020-12-01' = {
name: 'webSite'
location: 'location1'
tags: {}
properties: {
enabled: true
clientCertEnabled: false
}
}
Positive test num. 4 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"clientCertEnabled": false
},
"resources": []
}
],
"outputs": {}
}
Positive test num. 5 - bicep file
Positive test num. 6 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true
},
"resources": []
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Positive test num. 7 - bicep file
Positive test num. 8 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"clientCertEnabled": false
},
"resources": []
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Positive test num. 9 - bicep file
param siteName string = 'myapp-no-http2'
param servicePlanName string = 'myapp-plan-nohttp2'
resource servicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
name: servicePlanName
location: resourceGroup().location
sku: {
name: 'S1'
tier: 'Standard'
size: 'S1'
capacity: 1
}
kind: 'linux'
properties: {
reserved: true
}
}
resource webApp 'Microsoft.Web/sites@2022-03-01' = {
name: siteName
location: resourceGroup().location
kind: 'app,linux,container'
properties: {
serverFarmId: servicePlan.id
clientCertEnabled: false
siteConfig: {
http20Enabled: false
linuxFxVersion: 'DOCKER|nginx:latest'
}
}
}
Positive test num. 10 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.36.177.2456",
"templateHash": "4694393287242918779"
}
},
"parameters": {
"siteName": {
"type": "string",
"defaultValue": "myapp-no-http2"
},
"servicePlanName": {
"type": "string",
"defaultValue": "myapp-plan-nohttp2"
}
},
"resources": [
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2022-03-01",
"name": "[parameters('servicePlanName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "S1",
"tier": "Standard",
"size": "S1",
"capacity": 1
},
"kind": "linux",
"properties": {
"reserved": true
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "[parameters('siteName')]",
"location": "[resourceGroup().location]",
"kind": "app,linux,container",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('servicePlanName'))]",
"clientCertEnabled": false,
"siteConfig": {
"http20Enabled": false,
"linuxFxVersion": "DOCKER|nginx:latest"
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('servicePlanName'))]"
]
}
]
}
Positive test num. 11 - bicep file
param siteName string = 'myapp-no-http2'
param servicePlanName string = 'myapp-plan-nohttp2'
resource servicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
name: servicePlanName
location: resourceGroup().location
sku: {
name: 'S1'
tier: 'Standard'
size: 'S1'
capacity: 1
}
kind: 'linux'
properties: {
reserved: true
}
}
resource webApp 'Microsoft.Web/sites@2022-03-01' = {
name: siteName
location: resourceGroup().location
kind: 'app,linux,container'
properties: {
serverFarmId: servicePlan.id
siteConfig: {
http20Enabled: false
linuxFxVersion: 'DOCKER|nginx:latest'
}
}
}
Positive test num. 12 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.36.177.2456",
"templateHash": "8537683058673476993"
}
},
"parameters": {
"siteName": {
"type": "string",
"defaultValue": "myapp-no-http2"
},
"servicePlanName": {
"type": "string",
"defaultValue": "myapp-plan-nohttp2"
}
},
"resources": [
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2022-03-01",
"name": "[parameters('servicePlanName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "S1",
"tier": "Standard",
"size": "S1",
"capacity": 1
},
"kind": "linux",
"properties": {
"reserved": true
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "[parameters('siteName')]",
"location": "[resourceGroup().location]",
"kind": "app,linux,container",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('servicePlanName'))]",
"siteConfig": {
"http20Enabled": false,
"linuxFxVersion": "DOCKER|nginx:latest"
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('servicePlanName'))]"
]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - bicep file
resource webSite 'Microsoft.Web/sites@2020-12-01' = {
name: 'webSite'
location: 'location1'
tags: {}
properties: {
enabled: true
clientCertEnabled: true
}
}
Negative test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"clientCertEnabled": true
},
"resources": []
}
],
"outputs": {}
}
Negative test num. 3 - bicep file
resource webSite 'Microsoft.Web/sites@2020-12-01' = {
name: 'webSite'
location: 'location1'
tags: {}
properties: {
enabled: true
clientCertEnabled: true
}
}
Negative test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "webSite",
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"location": "location1",
"tags": {},
"properties": {
"enabled": true,
"clientCertEnabled": true
},
"resources": []
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Negative test num. 5 - bicep file
param siteName string = 'myapp-http2'
param servicePlanName string = 'myapp-plan'
resource servicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
name: servicePlanName
location: resourceGroup().location
sku: {
name: 'S1'
tier: 'Standard'
size: 'S1'
capacity: 1
}
kind: 'linux'
properties: {
reserved: true
}
}
resource webApp 'Microsoft.Web/sites@2022-03-01' = {
name: siteName
location: resourceGroup().location
kind: 'app,linux,container'
properties: {
serverFarmId: servicePlan.id
clientCertEnabled: false
siteConfig: {
http20Enabled: true
linuxFxVersion: 'DOCKER|nginx:latest'
}
}
}
Negative test num. 6 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.36.177.2456",
"templateHash": "7898345690734526102"
}
},
"parameters": {
"siteName": {
"type": "string",
"defaultValue": "myapp-http2"
},
"servicePlanName": {
"type": "string",
"defaultValue": "myapp-plan"
}
},
"resources": [
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2022-03-01",
"name": "[parameters('servicePlanName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "S1",
"tier": "Standard",
"size": "S1",
"capacity": 1
},
"kind": "linux",
"properties": {
"reserved": true
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "[parameters('siteName')]",
"location": "[resourceGroup().location]",
"kind": "app,linux,container",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('servicePlanName'))]",
"clientCertEnabled": false,
"siteConfig": {
"http20Enabled": true,
"linuxFxVersion": "DOCKER|nginx:latest"
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('servicePlanName'))]"
]
}
]
}
Negative test num. 7 - bicep file
param siteName string = 'myapp-http2-enabled'
param servicePlanName string = 'myapp-plan-http2'
resource servicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
name: servicePlanName
location: resourceGroup().location
sku: {
name: 'S1'
tier: 'Standard'
size: 'S1'
capacity: 1
}
kind: 'linux'
properties: {
reserved: true
}
}
resource webApp 'Microsoft.Web/sites@2022-03-01' = {
name: siteName
location: resourceGroup().location
kind: 'app,linux,container'
properties: {
serverFarmId: servicePlan.id
siteConfig: {
http20Enabled: true
linuxFxVersion: 'DOCKER|nginx:latest'
}
}
}
Negative test num. 8 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.36.177.2456",
"templateHash": "2348461675926151470"
}
},
"parameters": {
"siteName": {
"type": "string",
"defaultValue": "myapp-http2-enabled"
},
"servicePlanName": {
"type": "string",
"defaultValue": "myapp-plan-http2"
}
},
"resources": [
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2022-03-01",
"name": "[parameters('servicePlanName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "S1",
"tier": "Standard",
"size": "S1",
"capacity": 1
},
"kind": "linux",
"properties": {
"reserved": true
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-03-01",
"name": "[parameters('siteName')]",
"location": "[resourceGroup().location]",
"kind": "app,linux,container",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('servicePlanName'))]",
"siteConfig": {
"http20Enabled": true,
"linuxFxVersion": "DOCKER|nginx:latest"
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('servicePlanName'))]"
]
}
]
}