Finding and Testing MisConfigured S3 Buckets.
Hello Friends, I am Rohan Chavan. I am a Computer Engineering student and a bugbounty hunter. In this article I am going to share some of my research on finding a misconfigured s3 buckets. Please comment your feedback or if you have some more tips and techniques which I might have missed out.
What are S3 buckets ?
An Amazon s3 (Simple Storage service) is a service from AWS (Amazon Web Services) which is like a cloud storage used to store file, folders, objects , etc. It is used to mostly store images, videos, PDFS, text files, and in rare cases to store source backups, credentials in plain text, etc. AWS can be used using the website or using the CLI (which we will be using).
Configuring your AWS account :-
First you need to signup for a Free aws account.
Then download the CLI for your machine.
Next step is to configure your Aws account on your CLI
Official Documentation of AWS is easy to understand and implement so I am just sharing the links to these articles.Please Comment below if you are not able to follow the article.
Finding Buckets :-
These can be done manually or by using some automated scripts such as :-
bucket_finder
Download: https://github.com/FishermansEnemy/bucket_finder
S3Scanner
Download: https://github.com/sa7mon/S3Scanner
s3-inspector
Download: https://github.com/kromtech/s3-inspector
Manual method :-
- Suppose you are hunting on a target, you can use dnsdumpster to findout all the subdomains, it also finds out the s3buckets, which will look like
<Bucket_Name>.s3.amazonaws.com
2. You can find the buckets if you intercept the requests of Uploading a profile picture or etc.
3. Also always try to download the files , and if you use mozilla it prompts an option to “save” or “openwith” which shows the address where the url from where the files are being downloaded.This can reveal buckets.
(Let me know if you have more ideas for finding buckets.)
The 6 vulnerability types are :-
Amazon S3 bucket allows for full anonymous access
Amazon S3 bucket allows for arbitrary file listing
Amazon S3 bucket allows for arbitrary file upload and exposure
Amazon S3 bucket allows for blind uploads
Amazon S3 bucket allows arbitrary read/writes of objects
Amazon S3 bucket reveals ACP/ACL
(Refered from detectify blog)
Checking for Misconfigurations :-
Now that we have configured our aws cli, and understood how to find buckets , lets see how to check for basic misconfigurations.
We can check whether we could list the items stored in the bucket by using the command.
aws s3 ls s3://Bucket_name
this will give you a result like below ( Image from a hackerone report)
You can list all the items even from the sub directories by just using the
- -recursive flag
A properly configured Bucket will give an Access Denied Error.
Many a times it happens that we are not able to list a file but we are able to copy, move, delete files.
we can simply use the following commands.
aws s3 mv test.txt s3://bucket
which will give us an output like below if our file is moved successfully.
or access denied if it is properly configured.
Few more examples :-
Impact :-
Impact of such misconfiguration depends on what the bucket is storing, if the bucket is in scope and having some sensitive data then you can expect a good bounty. But if the information is not so sensitive then it might be a low priority bug, but reporting such low hanging fruits or easy to find bugs are always worth it.
Below are some Hackerone reports for the same vulnerability :-
Remedition and Fix :-
The main reason is improper file permissions, changing the permissions properly would fix such issue.
Thats it Folks !!!
Thanks for reading, Happy Hunting !!!