Misconfigured s3 bucket leads to Sensitive Data exposure(No super controls )
Amazon S3 (Simple Storage Service) is one of the popular and widely used storage services. Many companies are using S3 buckets to store their assets such as user profile pictures, static resources, and anything as per their business logic and needs. However, if the buckets are not configured properly, or are unclaimed, an attacker can probably perform some mischievous actions such as S3 Bucket Takeover or S3 Content Takeover.
Hi Fellow Hackers this is Deepak Dhiman from India.In this article, I will be talking about one of the recent encounters where a misconfigured S3 Bucket that disclose the old server code with auth file users.htpasswd.
You can read more about Amazon S3 here.
The application I was testing had a medium scope. The finding is related to one of the subsidiaries of the program. Let’s call the subsidiary “target.com”.
I started with subdomain enumeration and resolving unique subdomains with the following command:
“Subfinder -d target.com | httpx | tee -a alive.txt”
So I get all the alive subdomains.
So I put every single alive domain in browser let call it site.com.
https://site.com so after this I put /%C0
And I notice that it give me an cloudflare error like this,.
<Message>Couldn’t parse the specified URI.</Message>
So I just append the target domain with .s3.amazonaws.com .
And I get the bucket name. Some time it says no such bucket. So in that case what I do I just run dig on that.
$ dig site.com
So it gives CNAME of pointed domain.
So I am thinking what to do with this. So I read this article.
S3 Bucket Misconfigured Access Controls to Critical Vulnerability
Amazon S3 (Simple Storage Service) is one of the popular and widely used storage services. Many companies are using S3…
But unluckily on CRUD operation I get access denied.
So here comes my CTF skills in role. That first check what I can do so I just run this.
aws s3 ls s3://target-bucketname
And in response I have found
And after checking this I found server.js and users.httpasswd . So I am able to read their old server code(env one) and with auth users.httpasswd.
Follow me on
Thank you ,
Hope you like this(Sorry for bad english).