How I was able to access a properly Configured S3 Bucket
Hello All
This is my very first writeup and I hope it helps everyone. Recently, I came across an application which was using “S3 Buckets”. The bucket was used to store “KYC” documents and other important stuff. I tried accessing the bucket with “AWS CLI” to check for “Public Read” and “Public Write” access. Fortunately, the bucket was properly configured and gave the error as “Access Denied” for both “Public Read” and “Public Write”.
This behaviour scratched my mind and I decided to recon. I started going through all the JS files to search something sensitive in the source code. Manually going through all the JS files was not possible so I came across a Burp Extender that helped me to automate the process.
BurpSuite-Xkeys — A Burp Suite Extension to extract interesting strings (Keys, API keys, Secret tokens, AWS Secrets etc.) from a webpage and lists them as information issues. Just passive scan the target and wait for the juicy information to come as listed below. This is my personal favorite extender.
A big shoutout to the person who made our job easier by releasing the extender.
As soon as I started getting the results, “aws_secret_access_key” and “aws_access” caught my eyes. These things were present in a config file which was available without authentication. The config file had all the important stuff that the developer had left by mistake. The config file looked like this:
Then, I remembered that while configuring “AWS CLI” tool “AWS Access Key ID” and “AWS Secret Access Key” are required. Those things were already present in the config file. I configured “AWS CLI” with those keys and tried accessing the bucket.
Booooooooooooooooom!!!!
The bucket listed the content, and I could access all the “KYC Documents”. Not only this, but the bucket also allowed me to upload and delete the content.
Confidentiality, Integrity and Availability, all the three pillars were affected.
Golden Tip: Make sure you don’t stop at any point. Deep dig and you will get juicy information. If that’s not the case, you will end up learning something new that will benefit you later.
Happy Testing!
Twitter: @heybenchmarkkk
LinkedIn: Pawan Chhabria
