Misconfigured AWS S3 Bucket Enumeration

Amazon S3 is easy-to-use object storage with a simple web service interface that you can use to store and retrieve any amount of data from anywhere on the web. Amazon S3 also allows you to pay only for the storage you actually use.

Different type of storage in AWS:

1.S3: Simple Storage Service used as storage cloud provided by AWS, its charges for that what we use, it is object storage.

2.EBS: Elastic Block store which comes with the instance, only connected instance can use this storage just like C or D drive in our system, it is block storage means used to install the software.

3.Glacier: Glacier is also Amazon S3 service which used to archive data for long-term at low cost.

4.Storage Gateway: It is used to store our premises data to S3 and also keep data locally.

Common use cases for Amazon S3 storage:

1.Backup and archive for on-premises or cloud data
2.Content, media, and software storage and distribution
3.Big data analytics
4.Static website hosting
5.Cloud-native mobile and Internet application hosting
6.Disaster recovery

Advantage of Amazon S3:

1.Create Buckets: Create and name a bucket that stores data. Buckets are the fundamental container in Amazon S3 for data storage.

2.Store data in Buckets: Store an infinite amount of data in a bucket. Upload as many objects as you like into an Amazon S3 bucket. Each object can contain up to 5 TB of data.

3.Download Data: Download our data or enable others to do so. Download your data any time you like or allow others to do the same.

4.Permissions: Grant or deny access to others who want to upload or download data into your Amazon S3 bucket. Grant upload and download permissions to specific users.

5.Standard interfaces: Use standards-based REST and SOAP interfaces designed to work with any Internet-development toolkit.

Access Control Lists (ACLs):

S3 access control lists can be applied at the bucket level as well as at the object level. They generally support the following set of permissions:

1.READ: At the bucket level, this allows the grantee to list the objects in a bucket. At the object level, this allows the grantee to read the contents as well as the metadata of an object.

2.WRITE: At the bucket level, this allows the grantee to create, overwrite, and delete objects in a bucket.

3.READ_ACP: At the bucket level, this allows the grantee to read the bucket’s access control list. At the object level, this allows the grantee to read the object’s access control list.

4.WRITE_ACP: At the bucket level, this allows the grantee to set an ACL for a bucket. At the object level, this allows the grantee to set an ACL for an object.

5.FULL_CONTROL: At the bucket level, this is equivalent to granting the “READ”, “WRITE”, “READ_ACP”, and “WRITE_ACP” permissions to a grantee. At the object level, this is equivalent to granting the “READ”, “READ_ACP”, and “WRITE_ACP” permissions to a grantee.

S3 Common Vulnerabilities:

If you’re new to AWS or S3, there are a few common vulnerabilities you should be aware of:

1.Unauthenticated Bucket Access: As the name implies, an S3 bucket can be configured to allow anonymous users to list, read, and or write to a bucket.

2.Semi-public Bucket Access: An S3 bucket is configured to allow access to “authenticated users”. This, unfortunately, means anyone authenticated to AWS. A valid AWS access key and secret are required to test for this condition.

3.Improper ACL Permissions: The ACL of the bucket has its own permissions which are often found to be world-readable. This does not necessarily imply a misconfiguration of the bucket itself, however, it may reveal which users have what type of access.

How to find S3 buckets of a target application:

There are multiple ways to find an associated Amazon s3 bucket of the target application, I will try to share all possible way to find the bucket of the target application.

# Method 1:
Use this google dorks for finding s3 bucket
site: s3.amazonaws.com <site.com>

# Method 2:
You can use many online tools that are available on GitHub to find S3 bucket of a website. I would like to list down a few of them:

1) Slurp
2) Bucket_finder
3) S3Scanner
4) Lazy S3
5) S3 Bucket Finder

Almost all tools are command-line tools, You have can clone them from GitHub.

# Method 3:
Use the BURP Suite and spider the target web application. BURP Spider can extract the Amazon bucket of the target web application.

# Method 4:
Right-click on any image of the target application and open image in new tab. If the image URL looks like this:
http://xyz.s3.amazonaws.com/images/b1.gif

It means the target application is storing their data to the Amazon server and the bucket name is “xyz”. Anything before “.s3” in the URL is the bucket name of the target application.

# Method 5:
Sometimes you find Amazon bucket in Content-Security-Policy Response headers

How to check the misconfiguration of Amazon S3 buckets (ACLs) permission.

First, you have to install AWSCLI on your Linux environment.

Second, you have to configure AWSCLI on your Linux environment.

Create an AWS account and configure your details.

How to list the permission of a misconfigured Amazon S3 Bucket.

aws s3api get-bucket-acl — bucket <bucket-name>

How to list the content of a misconfigured Amazon S3 Bucket.

aws s3 ls s3://<bucket-name>

How to list the content of a misconfigured Amazon S3 Bucket.

aws s3 mv <file> s3://<bucket-name>

aws s3 cp <file> s3://<bucket-name>

How to delete the content of a misconfigured Amazon S3 Bucket.

aws s3 rm s3://<bucket-name>/test.txt

Remediation:

  1. Apply proper ACL, Disable writes permission to avoid uploading the file from an external user.
  2. Disable directory listing to avoid view the content of the Amazon bucket.
  3. Make sure to apply the proper policies on buckets and objects to handle the CORS request securely.

References:

https://resources.infosecinstitute.com/amazon-s3-buckets-hardening/

Leave a Reply

Your email address will not be published. Required fields are marked *