My s3 bugs so far...
Summary
hey guys, in this post we will cover several s3 bugs i have found over the year.
Report 1 :: AWS s3 bucket takeover to Stored XSS [sev: High]
During my recon, i came across a subdomain apidocs.xboy.me
that was supposed to host api documentation. The site was just loading a white page, i did my usual trick and performed a view-source:https://apidocs.xboy.me
, i saw that the js files were getting loaded from an s3 bucket and when i clicked on the bucket i got a 404 s3 bucket not found error.
So i went to aws and took over the bucket and thanks to how js executes (line by line; top-down) i just added xss payload to swagger-ui-bundle.js
ie
console.log("Js execution")
alert("Js execution")
alert(document.domain)
All i did was find the bucket and take-over it by going to the aws console and creating the bucket with that name and added the required files.
Report 2 :: Access key && secret Key to Create/Read/Update s3 folder-files [sev: Medium]
On another target i was exploring the api and i found an endpoint api-management.xboy.me
that was returning a json response that had an access and secret key, included s3 bucket name and a path.
first attempt was reading/lising the s3 bucket, this failed second attempt was writing to the s3 bucket, this failed too I didn't test delete as to do you need to know a key and i didn't know one
Remember that path in the config i talked about, i decided to test it and i was able to create files and overwrite files and read too but still i could't list the folder (bummer).
all i had to do on this was hit the api endpoint, get the aws keys, configure aws cli and perform the actions.
report 3 :: s3 bucket takeover for host [Sev: High]
Like bug in report 1; I found two hosts, The two hosts seemed to be refering to an s3 bucket that was available for takeover;
report 4 :: s3 create/read/update from an api [Sev: High]
I found an api files-api-manage.xboy.me
domain that alloed me to create/read/update files in s3.
- Read files;
POST /getFileUrl HTTP/2
Host: files-api-manage.xboy.me
Content-Type: application/json
Accept: application/json, text/plain, */*
{"key":"test/test.txt"}
- create Files
POST /getUploadUrl HTTP/2
Host: files-api-manage.xboy.me
Content-Type: application/json
Accept: application/json, text/plain, */*
{"fileName":"test.txt","folderName":"test","contentType":"plain/text"}
- Upload the file
PUT /test/test.txt?AWSAccessKeyId=AKIA3G78HAJLPLXJSYFJD&Content-Type=plain%2Ftext&Expires=1714590319&Signature=rhueTRoGbDdYh2n8m27sjMONdLc%3D HTTP/1.1
Host: files-app-manager.s3.amazonaws.com
User-Agent: curl/8.5.0
Accept: */*
Date: Wed, 01 May 2024 14:50:18 -0400
Content-Type: plain/text
Content-Length: 15
Connection: close
Hello s3 upload
- Fetch the file
GET /test/?AWSAccessKeyId=AKIA3G78HAJLPLXJSYFJD&Expires=1714590634&Signature=n5kLSdHSMtx70Z25upwtxe2hd6Y%3D HTTP/1.1
Host: files-app-manager.amazonaws.com
report 5 :: Cognito Unauth to s3 read/write
this bug is the same as my previous post Getting AWS s3 file Write/OverWrite from Cognito
others
- another bug like report one that would leak otp codes because the developer used the s3 bucket to send otps in the query param.
- another like Getting AWS s3 file Write/OverWrite from Cognito
- another two that were just s3 listing however one lead me to get some aws s3 keys and get access to more buckets
Contacts
@github @twitter @LinkedIn @Intigriti @hackerone_old
🔥🔥: 0