Bug Hunting: AWS S3 bucket-public Read, write permissions enabled

This is going to be the first blog of my bug hunting journey. As many of you are hunting for bugs in different bug hunting forums, I feel that sharing knowledge is like giving back to the security community which has given me a great platform to learn and grow.

I would like to thank everyone who has put extra effort to contribute to the community and help secure the internet from attacks.

In my initial phase of hunting for bug bounties, I was working on a gaming target and able to find out the simple but severe vulnerability in that platform. Let us check how did I enumerate and identified the issue.

AWS S3 bucket enabled for public access:

Amazon S3 public bucket

Enumeration:

Enumeration is the key to open wide our strategy and try to hack the application. As part of the initial enumeration phase, I was enumeration for a list of valid subdomains existing for the particular targets.

There are a plethora of tools available to identify subdomains for a particular target. Let me list down a few of them here for your reference.

projectdiscovery/subfinder

crt.sh | Certificate Search

nahamsec/crtndstry

OWASP/Amass

Using the above tools the list of valid subdomains can be identified quickly. Now, I have a list of subdomains.

I was thinking of choosing a target subdomain to start the attacking methods. However, I wanted to run an automation script on the side which can identify other sorts of vulnerabilities in the application. So, my first go was to find out whether any cloud storage is being used or not. I started my enumeration for finding any AWS S3 bucket.

Note: One can use any list of regular expressions/subdomains list for enumerating AWS S3 buckets. Because most of the time organizations might use valid and reasonable naming conventions for S3 buckets. In my case, I have used a list of subdomains for finding AWS s3 buckets.

Tools to identify AWS s3 buckets:

gwen001/s3-buckets-finder

sa7mon/S3Scanner

Steps:

1. Download the S3scanner tool from the link: https://github.com/sa7mon/S3Scanner
2. Run it for s3 bucket identification.

AWS S3 bucket with public access identified

Note: Merely finding the S3 buckets alone might not be accepted as a valid bug. I would suggest you to try read/write access in the bucket to showcase the impact of the vulnerability

3. Once the bucket is identified, try to upload/read a file from the bucket. Here, in this case, I have created an empty file and tried to upload it to the bucket and it was successful.

file.txt uploaded successfully into S3 bucket

I immediately reported this issue and it was accepted as a valid bug.

Remediation

Make sure all the Amazon S3 buckets you are using are marked as private.

Please like, share and support if you like this blog.

If you like the content, please follow me on medium and LinkedIn

LinkedIn: https://www.linkedin.com/in/pravin-r-p-oscp-28497712b/