Sumeru Cyber Security
  • Sumeru Cyber Security
  • Workarounds for prevalent vulnerabilities
    • Version Disclosure
    • Host Header Attack
    • HttpOnly and Secure Flag
    • Security Headers
    • Clickjacking
    • Weak Password
    • Username Enumeration
    • jQuery Outdated
    • Cross-Origin Resource Sharing
    • AWS S3 Bucket Misconfiguration
    • Directory Listing
    • Laravel Debug Enabled
    • Autocomplete and Remember Password Enabled
    • Brute Force Attack
    • Cross Site Request Forgery
    • SQL Injection
    • PhpMyAdmin page Available Publicly
    • Implementation of BASIC Authentication
    • Cache Browsing
    • Insecure Direct Object Reference
    • Active mixed content over https
    • Improper forgot password implementation
    • ASP.NET Debug Enabled
    • Sensitive Data Sent in GET Request
    • Weak CAPTCHA Implementation
    • Csv Injection
    • Cross Site Scripting
    • Web Server Robot.txt Information Disclosure
    • SSL Related Issues
    • Local File Inclusion
    • Weak CAPTCHA Implementation
    • Automated Form Submission
    • Php.ini File Available Publicly
    • ITLP
    • Internal Path Disclosure
    • Insecure Direct Object Reference
    • Access Token Not Expiring After Logout
  • OWASP A09-Security Logging and Monitoring Failures
  • OWASP API09-Improper Inventory Management v1.0
Powered by GitBook
On this page
  • Introduction
  • How to Test
  • Automated Scripts:
  • Manual method:
  • How to Fix
  • References

Was this helpful?

  1. Workarounds for prevalent vulnerabilities

AWS S3 Bucket Misconfiguration

PreviousCross-Origin Resource SharingNextDirectory Listing

Last updated 5 years ago

Was this helpful?

Introduction

An Amazon s3 (Simple Storage Service) is a service from AWS (Amazon Web Services) which is like cloud storage used to store a file, folders, objects, etc. It is used mostly to store images, videos, PDFS, text files, and in rare cases to store source backups, credentials in plain text, etc.

AWS S3 Bucket Misconfiguration which allows the attacker to get the full anonymous access to your files and it lead to loss of reputation,loss of integrity and confidentiality.

How to Test

These can be done manually or by using some automated scripts as follows:

Automated Scripts:

Bucket Finder :

S3Scanner :

s3-inspector :

Manual method:

1.Suppose you are hunting on a target, you can use dnsdumpster to find out all the subdomains, it also finds out the s3buckets, which will look like

<Bucket_Name>.s3.amazonaws.com

2.You can find the buckets if you intercept the requests of Uploading a profile picture or etc.

3.Also always try to download the files , and if you use mozilla it prompts an option to “save” or “openwith” which shows the address where the url from where the files are being downloaded.This can reveal buckets.

How to Fix

The main reason is improper file permissions, changing the permissions properly would fix such issue.

  1. Review the bucket ACLs to verify that the WRITE and WRITE_ACP are only set on specific users, never on groups such as AllUsers or AuthenticatedUsers.

  2. Take a look and see how you are uploading objects to S3 buckets and make sure you set the proper ACLs on both buckets and objects.

Note: Newly created Amazon S3 buckets and objects are private and protected by default.

References

https://github.com/FishermansEnemy/bucket_finder
https://github.com/sa7mon/S3Scanner
https://github.com/kromtech/s3-inspector
https://medium.com/@rohanchavan/finding-and-testing-misconfigured-s3-buckets-d77992c4b5cd
https://medium.com/@cvignesh28/aws-s3-bucket-misconfiguration-c11e8f86e9a7
https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/
https://docs.aws.amazon.com/AmazonS3/latest/UG/EditingBucketPermissions.html