avatarc0d3x27

Summary

The context provides a guide on finding and exploiting S3 Amazon buckets for bug bounties.

Abstract

The content of the context revolves around Amazon S3 buckets and how they can be exploited for bug bounties. Amazon S3 buckets are public static cloud file storage resources in Amazon Web Services' Simple Storage Service (S3). These buckets, similar to file folders, store objects consisting of data and descriptive metadata. The context highlights that many web developers use this service to host files like JavaScript, HTML, image, and CSS. However, while creating S3 Buckets, developers may configure unnecessary policies and configurations for public users, leading to unauthorized file access, upload, and delete. The context then proceeds to provide a step-by-step guide on exploiting these vulnerabilities using a python script, AWS-CLI, and regular expressions.

Bullet points

  • Amazon S3 buckets are public static cloud file storage resources in Amazon Web Services' Simple Storage Service (S3).
  • S3 buckets store objects consisting of data and descriptive metadata.
  • Many web developers use this service to host files like JavaScript, HTML, image, and CSS.
  • Developers may configure unnecessary policies and configurations for public users, leading to unauthorized file access, upload, and delete.
  • The context provides a step-by-step guide on exploiting these vulnerabilities using a python script, AWS-CLI, and regular expressions.
  • The guide involves creating an Amazon account, configuring AWS-CLI, writing regular expressions to detect s3 buckets, and using these to find and exploit vulnerabilities.
  • The context also discusses the different types of HTML form encoding and how to decode urlencoded content.
  • The exploit involves using AWS-CLI to check for any sensitive files presence, download them to your box, and even upload files to the buckets.

Finding And Exploiting S3 Amazon Buckets For Bug Bounties

Many websites have private S3 buckets holding secrets inside. We want them.

Photo by Christian Wiediger on Unsplash

What Is An Amazon S3 Bucket?

Is a public static cloud file storage resource available in Amazon Web Services’ (AWS) Simple Storage Service (S3), an object storage offering. S3 buckets, are similar to file folders, store objects, which consist of data and its descriptive metadata.

Amazon S3 uses the same scalable storage infrastructure that Amazon.com uses to run its global e-commerce network. It can be employed to store any type of object, which allow users storage for Internet applications, backup and recovery, disaster recovery, data archives, data lakes for analytics, and hybrid cloud storage.

The Weakest Link

Many web developers use this service to host files like JavaScript, HTML, image, CSS.

.s3.amazonaws.com/js/main.js

While creating S3 Buckets, Sometimes, developers configure unnecessary policies and configuration for public users. This can leads to unauthorized file access, upload, and delete.

How to Exploit This?

In reality, there are many ways to do it, but today we will be building a python script to help us with this task. The App will find the s3 buckets and their secrets using a regular expression.

A regular expression is a special sequence of characters that helps you match or find other strings or sets of strings, using a specialized syntax held in a pattern. … The Python module re provides full support for Perl-like regular expressions in Python.

Part 1.0

Prior to exploiting any s3 buckets, You need to have an amazon account. Login to your account and create an access key and secret key. Now, we need to configure AWS-CLI.

Open your Terminal and run the following code:

It will ask you for an access key and secret key. Just add the previously made keys.

Part 1.5

Before even starting to build the app, we need to write a regular expression to help detect the s3 buckets. It will be used within our python app to find them. In a virtual-hosted–style request, the bucket name is part of the domain name in the URL. Virtual hosted style URLs follow the format shown below.

https://bucket-name.s3.Region.amazonaws.com/ #key name

In this example, my-bucket is the bucket name, US West (Oregon) is the Region, and puppy.png is the key name:

https://my-bucket.s3.us-west-2.amazonaws.com/puppy.png

S3 Buckets Access Are:

Virtual-hosted–style request.

Path-style request.

Making request on Internet Protocol version 6 (IPv6) and IPv4.

RegEx

When making the regular expression, we need to cover all and any possible match to hit the URLs s3 bucket. For this task we will create a regex.

[\w\-\.]+\.s3\.?(?:[\w\-\.]+)?\.amazonaws\.com|
(?<!\.)s3\.?(?:[\w\-\.]+)?\.amazonaws\.com\\?\/[\w\-\.]+

JavaScript

Most s3 buckets are hiding inside JavaScript files. First, let’s find those js paths, and second, we need to collect those js files and inspect them for hidden buckets inside. Let’s write a regex that will find those .js paths for us.

(?<=src=[‘\”])[a-zA-Z0–9_\.\-\:\/]+\.js

Creating The App

Let’s write the code to detect the s3 buckets. In this section, we will write the actual app and embed everything together to make it work and find those buckets.

HTML Form Encoding

The encoding type of a form is determined by the attribute enctype. It can have three values. URL Encoded Form, Multipart Forms, Text/plain Forms

  • application/x-www-form-urlencoded - Represents a URL encoded form. This is the default value if enctype attribute is not set to anything.
  • multipart/form-data - Represents a Multipart form. This type of form is used when the user wants to upload files
  • text/plain - A new form type introduced in HTML5, that as the name suggests, simply sends the data without any encoding

As you can see in Line 2, the unquote function from the urllib module was imported because most Html content is in urlencoded format. This needs to be decode, otherwise, the previous regex we made will never get a match. Line 4, Domains-to-test.txt will be the file holding the domains you want to test for s3 buckets.

After finding a webpage hidden s3 buckets, you can test them manually for vulnerabilities. Let’s use the previously configured AWS-CLI in Part 1.0 for this task.

Exploit

To test any found buckets, open your Terminal and run the following commands.

aws s3 ls s3://whateverbucketname

Check for any sensitive files presence, and if there is any, try to download it to your box

aws s3 cp s3://whateverbucketname/secret.txt

You can also upload files, to do this just run,

aws s3 mv Exploit.txt s3://whateverbucketname/

Conclusion

Sure this can also be done using tools like BurpSuite, but unless you have the Pro version, you won’t able to do it. Also, I feel more satisfied when working with self-made tools, scripts.

Enjoy, and Happy Hunting!

Cybersecurity
Programming
Technology
Software Development
Security
Recommended from ReadMedium
avatarSatyam Pathania
Why I Quit Bug Bounty Hunting :(

It was purely my experience , i respect other bug bounty hunters :)

4 min read
avatarRudrakshacker
How I found My first P1 Bug which ended up ….$?

Hello readers :) Let me introduce Myself. I am a noob script kiddie. Trying my luck at Bug Bounty :) I also played CTFs for almost 3 years…

3 min read
avatarRabinarayan Patra
Why 1==1 is true but 128==128 is false in Java

Ever wondered why comparing 1==1 returns true, but 128==128 returns false in Java? Let’s dive into the magic of Integer caching to find…

4 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarBrownBearSec
What I learnt from reading 217* Subdomain Takeover bug reports.

A comprehensive analysis of Subdomain Takeovers (SDTO), DNS Hijacking, Dangling DNS, CNAME misconfigurations…

8 min read
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read