Hello Friends, I am Rohan Chavan. I am a Computer Engineering student and a bugbounty hunter. In this article I am going to share some of my research on finding a misconfigured s3 buckets. Please comment your feedback or if you have some more tips and techniques which I might have missed out.
What are S3 buckets ?
An Amazon s3 (Simple Storage service) is a service from AWS (Amazon Web Services) which is like a cloud storage used to store file, folders, objects , etc. It is used to mostly store images, videos, PDFS, text files, and in rare cases to store source backups, credentials in plain text, etc. AWS can be used using the website or using the CLI (which we will be using).
Configuring your AWS account :-
First you need to signup for a Free aws account.
Amazon Web Services (AWS) - Cloud Computing Services
Amazon Web Services offers reliable, scalable, and inexpensive cloud computing services. Free to join, pay only for…
Then download the CLI for your machine.
Install the AWS CLI on Windows - AWS Command Line Interface
Install the AWS Command Line Interface (AWS CLI) on Windows.
Next step is to configure your Aws account on your CLI
Configuring the AWS CLI - AWS Command Line Interface
Configure the AWS Command Line Interface (AWS CLI) and specify the settings for interacting with AWS.
Official Documentation of AWS is easy to understand and implement so I am just sharing the links to these articles.Please Comment below if you are not able to follow the article.
Finding Buckets :-
These can be done manually or by using some automated scripts such as :-
Manual method :-
- Suppose you are hunting on a target, you can use dnsdumpster to findout all the subdomains, it also finds out the s3buckets, which will look like
2. You can find the buckets if you intercept the requests of Uploading a profile picture or etc.
3. Also always try to download the files , and if you use mozilla it prompts an option to “save” or “openwith” which shows the address where the url from where the files are being downloaded.This can reveal buckets.
(Let me know if you have more ideas for finding buckets.)
The 6 vulnerability types are :-
Amazon S3 bucket allows for full anonymous access
Amazon S3 bucket allows for arbitrary file listing
Amazon S3 bucket allows for arbitrary file upload and exposure
Amazon S3 bucket allows for blind uploads
Amazon S3 bucket allows arbitrary read/writes of objects
Amazon S3 bucket reveals ACP/ACL
(Refered from detectify blog)
Checking for Misconfigurations :-
Now that we have configured our aws cli, and understood how to find buckets , lets see how to check for basic misconfigurations.
We can check whether we could list the items stored in the bucket by using the command.
aws s3 ls s3://Bucket_name
this will give you a result like below ( Image from a hackerone report)
You can list all the items even from the sub directories by just using the
- -recursive flag
A properly configured Bucket will give an Access Denied Error.
Many a times it happens that we are not able to list a file but we are able to copy, move, delete files.
we can simply use the following commands.
aws s3 mv test.txt s3://bucket
which will give us an output like below if our file is moved successfully.
or access denied if it is properly configured.
Few more examples :-
Impact of such misconfiguration depends on what the bucket is storing, if the bucket is in scope and having some sensitive data then you can expect a good bounty. But if the information is not so sensitive then it might be a low priority bug, but reporting such low hanging fruits or easy to find bugs are always worth it.
Below are some Hackerone reports for the same vulnerability :-
Legal Robot disclosed on HackerOne: S3 ACL misconfiguration
Summary**: Legal Robot's s3 bucket [**legalrobot.com**] is misconfigured. The ACL allows me to _access_ and _copy_…
Zomato disclosed on HackerOne: Amazon S3 bucket misconfiguration...
Hi, ## Description I have discovered one of your Amazon S3 bucket and tested it via the AWS command line tool on Linux…
Reverb.com disclosed on HackerOne: Possible Blind Writing to S3 Bucket
Hi All, I noticed that you are using S3 and I believe I may have found one of your buckets and am able to write to it…
Ruby disclosed on HackerOne: Open S3 Bucket WriteAble To Any Aws User
Hi All, I know that http://rubyci.s3.amazonaws.com is used for file uploads on reports and so when i open your s3…
Remedition and Fix :-
The main reason is improper file permissions, changing the permissions properly would fix such issue.
Thats it Folks !!!
Thanks for reading, Happy Hunting !!!