My s3 bugs so far...

Summary

hey guys, in this post we will cover several s3 bugs i have found over the year.

Report 1 :: AWS s3 bucket takeover to Stored XSS [sev: High]

During my recon, i came across a subdomain apidocs.xboy.me that was supposed to host api documentation. The site was just loading a white page, i did my usual trick and performed a view-source:https://apidocs.xboy.me, i saw that the js files were getting loaded from an s3 bucket and when i clicked on the bucket i got a 404 s3 bucket not found error.

So i went to aws and took over the bucket and thanks to how js executes (line by line; top-down) i just added xss payload to swagger-ui-bundle.js ie

console.log("Js execution")
alert("Js execution")
alert(document.domain)

All i did was find the bucket and take-over it by going to the aws console and creating the bucket with that name and added the required files.

stored-xss

Report 2 :: Access key && secret Key to Create/Read/Update s3 folder-files [sev: Medium]

On another target i was exploring the api and i found an endpoint api-management.xboy.me that was returning a json response that had an access and secret key, included s3 bucket name and a path.

first attempt was reading/lising the s3 bucket, this failed second attempt was writing to the s3 bucket, this failed too I didn't test delete as to do you need to know a key and i didn't know one

Remember that path in the config i talked about, i decided to test it and i was able to create files and overwrite files and read too but still i could't list the folder (bummer).

all i had to do on this was hit the api endpoint, get the aws keys, configure aws cli and perform the actions.

api-leak

report 3 :: s3 bucket takeover for host [Sev: High]

Like bug in report 1; I found two hosts, The two hosts seemed to be refering to an s3 bucket that was available for takeover;

s3-hosts

report 4 :: s3 create/read/update from an api [Sev: High]

I found an api files-api-manage.xboy.me domain that alloed me to create/read/update files in s3.

  1. Read files;
POST /getFileUrl HTTP/2
Host: files-api-manage.xboy.me
Content-Type: application/json
Accept: application/json, text/plain, */*

{"key":"test/test.txt"}
  1. create Files
POST /getUploadUrl HTTP/2
Host: files-api-manage.xboy.me
Content-Type: application/json
Accept: application/json, text/plain, */*

{"fileName":"test.txt","folderName":"test","contentType":"plain/text"}
  1. Upload the file
PUT /test/test.txt?AWSAccessKeyId=AKIA3G78HAJLPLXJSYFJD&Content-Type=plain%2Ftext&Expires=1714590319&Signature=rhueTRoGbDdYh2n8m27sjMONdLc%3D HTTP/1.1
Host: files-app-manager.s3.amazonaws.com
User-Agent: curl/8.5.0
Accept: */*
Date: Wed, 01 May 2024 14:50:18 -0400
Content-Type: plain/text
Content-Length: 15
Connection: close

Hello s3 upload
  1. Fetch the file
GET /test/?AWSAccessKeyId=AKIA3G78HAJLPLXJSYFJD&Expires=1714590634&Signature=n5kLSdHSMtx70Z25upwtxe2hd6Y%3D HTTP/1.1
Host: files-app-manager.amazonaws.com

s3-api-hosts

report 5 :: Cognito Unauth to s3 read/write

this bug is the same as my previous post Getting AWS s3 file Write/OverWrite from Cognito

others

  • another bug like report one that would leak otp codes because the developer used the s3 bucket to send otps in the query param.
  • another like Getting AWS s3 file Write/OverWrite from Cognito
  • another two that were just s3 listing however one lead me to get some aws s3 keys and get access to more buckets

Contacts

@github @twitter @LinkedIn @Intigriti @hackerone_old

🔥🔥: 0

Previous Post

CORP-RCE

Next Post

AuthBypass