App Service Authentication Disabled
- Query id: c7fc1481-2899-4490-bbd8-544a3a61a2f3
- Query name: App Service Authentication Disabled
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: 285
- Risk score: 7.0
- URL: Github
Description¶
Azure App Service authentication settings should be enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_app_service" "positive1" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
}
app_settings = {
"SOME_KEY" = "some-value"
}
connection_string {
name = "Database"
type = "SQLServer"
value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
}
}
Positive test num. 2 - tf file
resource "azurerm_windows_web_app" "positive10" {
name = "example-app-service"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
service_plan_id = azurerm_service_plan.example.id
auth_settings_v2 {
login {}
auth_enabled = false
}
site_config {}
}
Positive test num. 3 - tf file
resource "azurerm_windows_web_app" "positive11" {
name = "example-app-service"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
service_plan_id = azurerm_service_plan.example.id
auth_settings {
enabled = true
}
auth_settings_v2 {
login {}
}
site_config {}
}
Positive test num. 4 - tf file
resource "azurerm_windows_web_app" "positive12" {
name = "example-app-service"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
service_plan_id = azurerm_service_plan.example.id
auth_settings {
enabled = true
}
auth_settings_v2 {
login {}
auth_enabled = false
}
site_config {}
}
Positive test num. 5 - tf file
resource "azurerm_linux_web_app" "positive13" {
name = "example-app-service"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
service_plan_id = azurerm_service_plan.example.id
auth_settings {
enabled = true
}
auth_settings_v2 {
login {}
}
site_config {}
}
Positive test num. 6 - tf file
resource "azurerm_linux_web_app" "positive14" {
name = "example-app-service"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
service_plan_id = azurerm_service_plan.example.id
auth_settings {
enabled = true
}
auth_settings_v2 {
login {}
auth_enabled = false
}
site_config {}
}
Positive test num. 7 - tf file
resource "azurerm_app_service" "positive2" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
}
app_settings = {
"SOME_KEY" = "some-value"
}
auth_settings {
enabled = false
}
connection_string {
name = "Database"
type = "SQLServer"
value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
}
}
Positive test num. 8 - tf file
Positive test num. 9 - tf file
Positive test num. 10 - tf file
Positive test num. 11 - tf file
resource "azurerm_linux_web_app" "positive6" {
name = "example-app-service"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
service_plan_id = azurerm_service_plan.example.id
auth_settings_v2 {
login {}
auth_enabled = false
}
site_config {}
}
Positive test num. 12 - tf file
Positive test num. 13 - tf file
Positive test num. 14 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_app_service" "negative1" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
}
app_settings = {
"SOME_KEY" = "some-value"
}
auth_settings {
enabled = true
}
connection_string {
name = "Database"
type = "SQLServer"
value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
}
}
Negative test num. 2 - tf file
resource "azurerm_linux_web_app" "negative2" {
name = "example-app-service"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
service_plan_id = azurerm_service_plan.example.id
auth_settings {
enabled = true
}
site_config {}
}
Negative test num. 3 - tf file
resource "azurerm_linux_web_app" "negative3" {
name = "example-app-service"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
service_plan_id = azurerm_service_plan.example.id
auth_settings_v2 {
login {}
auth_enabled = true
}
site_config {}
}
Negative test num. 4 - tf file
Negative test num. 5 - tf file
resource "azurerm_windows_web_app" "negative5" {
name = "example-app-service"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
service_plan_id = azurerm_service_plan.example.id
auth_settings_v2 {
login {}
auth_enabled = true
}
site_config {}
}
Negative test num. 6 - tf file
resource "azurerm_windows_web_app" "negative6" {
name = "example-app-service"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
service_plan_id = azurerm_service_plan.example.id
auth_settings {
enabled = false
}
auth_settings_v2 {
login {}
auth_enabled = true
}
site_config {}
}
Negative test num. 7 - tf file
resource "azurerm_linux_web_app" "negative7" {
name = "example-app-service"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_service_plan.example.location
service_plan_id = azurerm_service_plan.example.id
auth_settings {
enabled = false
}
auth_settings_v2 {
login {}
auth_enabled = true
}
site_config {}
}