How I was able to access a properly Configured S3 Bucket

Hello All

This is my very first writeup and I hope it helps everyone. Recently, I came across an application which was using “S3 Buckets”. The bucket was used to store “KYC” documents and other important stuff. I tried accessing the bucket with “AWS CLI” to check for “Public Read” and “Public Write” access. Fortunately, the bucket was properly configured and gave the error as “Access Denied” for both “Public Read” and “Public Write”.

Properly Configured S3 Bucket Output

This behaviour scratched my mind and I decided to recon. I started going through all the JS files to search something sensitive in the source code. Manually going through all the JS files was not possible so I came across a Burp Extender that helped me to automate the process.

BurpSuite-Xkeys — A Burp Suite Extension to extract interesting strings (Keys, API keys, Secret tokens, AWS Secrets etc.) from a webpage and lists them as information issues. Just passive scan the target and wait for the juicy information to come as listed below. This is my personal favorite extender.

A big shoutout to the person who made our job easier by releasing the extender.

Xkeys Output

As soon as I started getting the results, “aws_secret_access_key” and “aws_access” caught my eyes. These things were present in a config file which was available without authentication. The config file had all the important stuff that the developer had left by mistake. The config file looked like this:

Config file

Then, I remembered that while configuring “AWS CLI” tool “AWS Access Key ID” and “AWS Secret Access Key” are required. Those things were already present in the config file. I configured “AWS CLI” with those keys and tried accessing the bucket.

Booooooooooooooooom!!!!

The bucket listed the content, and I could access all the “KYC Documents”. Not only this, but the bucket also allowed me to upload and delete the content.

Confidentiality, Integrity and Availability, all the three pillars were affected.

Access to the bucket

Golden Tip: Make sure you don’t stop at any point. Deep dig and you will get juicy information. If that’s not the case, you will end up learning something new that will benefit you later.

Happy Testing!

Twitter: @heybenchmarkkk

LinkedIn: Pawan Chhabria

a.k.a Benchmarkkk | Security Enthusiast| Web | Android | API |Top OnePlus Hacker 2019–2020 | Google Hall of Fame