Request an Audit.

Select Audit Type
Cancel

Thank you for requesting an Audit! Our team will be in touch with information on the next steps.

Back to Dashboard
Oops! Something went wrong while submitting the form.

Give Feedback

Cancel
Oops! Something went wrong while submitting the form.

List Your Product

Cancel

Thank you for listing your product! Our team will be in touch with information on the next steps.

Back to Dashboard
Oops! Something went wrong while submitting the form.

In the jungle of AWS S3 Enumeration

Posted on:
5/30/2024
Written by:
Ilan Abitbol
Tagged as:
Cloud Security
AWS
Cybersecurity
Share article:

I. The current Situation

According to Datadog’s article on the state of security in AWS:

bucket Organizations with at least 1 publicly readable S3 =36 %
www.datadoghq.com

36% of organizations with at least one Amazon S3 bucket have it configured to be publicly readable. This is a significant cybersecurity risk, as publicly accessible S3 buckets can expose sensitive data to unauthorized individuals, leading to potential data breaches, data theft, and a host of compliance issues.

We could model the attack from a high-level point of view as follows:

Classical S3 Attack Path Scenario
Classical S3 Attack Path Scenario

In this article, we will focus on the recognition techniques used by attackers in part 1 of the figure above.

II. Enumeration Techniques

II.1 Google Dorking to Locate Buckets

Google Dorking utilizes advanced search queries to find hidden information on the internet. When it comes to S3 buckets, specific dorks can reveal buckets left exposed by inadvertent configurations.

Example Commands:

Google Dorks For S3 Enumeration
Google Dorks For S3 Enumeration

First command result example:

First command result example
First command result example

Search results will list web pages or direct links to S3 buckets. Verify the legitimacy of each link, as some may be outdated or reference non-existent buckets. For actual buckets, proceed to check the permissions and contents, ideally reporting any misconfigurations to the bucket owner.

II.2 Burp Suite Exploration

Burp Suite is a powerful tool for web application security pentesting. It can be used for S3 bucket reconnaissance by monitoring HTTP requests that contain bucket information.

Configure your browser to use Burp Suite as its proxy, then browse the target application. Burp Suite will automatically capture the traffic. Analyze the sitemap generated by Burp for any S3 bucket links or headers.

Look for patterns such as:

  • URLs containing “s3.amazonaws.com”
  • Headers with “x-am-bucket”

For instance:

Burp s3 keyword search through the proxy history
Burp s3 keyword search through the proxy history

Also, the Burp plugin https://github.com/portswigger/aws-security-checks from the BApp Store can be really useful.

The traffic analysis capabilities of Burp Suite allow for detailed scrutiny of web applications and potential S3 bucket discovery inside indirect or sub calls.

II.3 GitHub Recon Tools

There’s a treasure trove of S3 reconnaissance tools on GitHub. These tools range in functionality from scanning bucket names to checking for public accessibility and dumping contents.

S3Scanner: https://github.com/sa7mon/S3Scanner Dumpster Diver: https://github.com/securing/DumpsterDiver S3 Bucket Finder: https://github.com/gwen001/s3-buckets-finder AWSInventorySync: https://github.com/foreseon/AWSInventorySync

Leveraging automated tools can vastly increase the efficiency and breadth of your reconnaissance. After running these tools, the next steps should involve assessing the identified buckets’ configurations, understanding the potential risks, and, if necessary, alerting the responsible parties.

II.4 Online Websites

Online resources can streamline the S3 bucket discovery process. Nuclei templates, specifically, are predefined patterns used to detect common vulnerabilities, including misconfigured S3 buckets.

For instance you can use:

https://osint.sh/buckets/

https://buckets.grayhatwarfare.com/

Tools like OSINT.sh and GrayHatWarfare are tailor-made to simplify the search process, pulling from pools of data that might take an individual researcher considerable time to amass.

What’s more, the existence of SaaS services accessible with just three clicks shows just how widespread this attack is these days.
Hackers have even developed automated programs for scanning and collecting objects publicly exposed in S3 buckets.

II.5 Regex Mastery

Mastering simple regex can be one of the most efficient ways to conduct S3 bucket reconnaissance. By chaining simple commands, you can create powerful searches.

Running Commands:
Here’s how to use regex with curl to extract S3 bucket URLs from JavaScript files:

Regex for searching S3 bucket URLs in JS Files
Regex for searching S3 bucket URLs in JS Files

And for using subfinder and httpx:

subfinder + httpx tools for finding S3 buckets
subfinder + httpx tools for finding S3 buckets

The command-line outputs will typically provide you with raw URLs or status codes. A 200 status code on an S3 bucket URL, for example, indicates that the bucket is accessible. Further exploration of these command-line techniques offer granular control over the reconnaissance process and can be customized for specific scenarios. The output from these commands must be carefully analyzed to distinguish between normal bucket usage and potential security risks.

Conclusion

Navigating the complexities of AWS S3 Enumeration is crucial for identifying and securing misconfigured S3 buckets, which are potential gateways to sensitive data exposure.

Identifying these vulnerabilities is only the first step. Action must be taken to mitigate these risks, ensuring data remains secure against potential breaches. This is where Resonance Security steps in.

Specializing in cloud security audits and penetration testing, we provide the expertise needed to protect and reinforce cloud environments against threats.

For companies looking to enhance their cloud security posture, we offer tailored pentests & audits designed to meet the unique challenges securing your cloud infrastructure. Learn more about how we can support your cloud security needs at Resonance Security.

In sum, the path to secure AWS S3 storage is multifaceted, demanding a proactive approach to security. With the right techniques and expert support, companies can navigate this landscape confidently, protecting their most valuable digital assets.

Read More
Resonance Reflections: Implementation and Security Considerations of Real-World Token Bonding Curves

Token bonding curves. You may have heard about them being used in DeFi on platforms such as UniSwap and Curve Finance. They are the mathematical models that define the relationship between a token’s supply and its price. As more tokens are bought, the price increases according to the curve; as they are sold, the price decreases according to the curve. There are multiple types of curves that can be created based on various parameters.

August 13, 2024

by Grace Dees

web3
Read in Full
Securing Applications with Harmony: An Innovative Asset Monitoring Tool

Last year saw a wave of attacks exploiting the bridge between web2 and web3 (which we lovingly call web2.5), exposing significant vulnerabilities in DApps. Attacks like CDN hijacking, DNS manipulation, and BGP hijacking were particularly rampant.

July 19, 2024

by Michał Bazyli

Cybersecurity
Read in Full
A Journey Through NEAR Protocol’s Storage — When Removing Doesn’t Necessarily Mean Deleting (Part 2)

This is the follow-up article to this one: Part 1. If you are interested in NEAR storage internals, please read through Part 1 before continuing here. This text assumes the exemplary code shared in Part 1.

July 15, 2024

by Michal Bajor

web3
Read in Full
Back to All News
our certifications
OSCP certificationOSCE CertificationOSWE certificationCART CertificationAzure certifcationCyclone CertificationCARTP CertificationCRTP Certification

Let's Get Started.

Safeguard your applications, smart contracts and digital assets to stay ahead of potential threats.

Get started