Amazon Web Services (AWS) Simple Storage Service (S3) is a foundational pillar of cloud storage, offering scalable object storage for millions of applications. However, misconfigured S3 buckets can be a gateway to sensitive data exposure.
In this guide, we will delve into advanced methods for S3 bucket reconnaissance — essential for cloud pentesters and cloud security experts to identify and secure vulnerable buckets before they’re exploited.
The Current Situation
In the cloud monitoring service Datadog’s article on the state of security in AWS, they analyzed trends in the implementation of security best practices and took a closer look at various types of…
36% of organizations with at least one Amazon S3 bucket have it configured to be publicly readable. This is a significant cybersecurity risk, as publicly accessible S3 buckets can expose sensitive data to unauthorized individuals, leading to potential data breaches, data theft, and a host of compliance issues.
We could model the attack from a high-level point of view as follows:
In this article, we will focus on the recognition techniques used by attackers in part 1 of the figure above.
Google Dorking to Locate Buckets
Google Dorking utilizes advanced search queries to find hidden information on the internet. When it comes to S3 buckets, specific dorks can reveal buckets left exposed by inadvertent configurations.
Example Commands:
First command result example:
Search results will list web pages or direct links to S3 buckets. Verify the legitimacy of each link, as some may be outdated or reference non-existent buckets. For actual buckets, proceed to check the permissions and contents, ideally reporting any misconfigurations to the bucket owner.
Burp Suite Exploration
Burp Suite is a powerful tool for web application security pentesting. It can be used for S3 bucket reconnaissance by monitoring HTTP requests that contain bucket information.
Configure your browser to use Burp Suite as its proxy, then browse the target application. Burp Suite will automatically capture the traffic. Analyze the sitemap generated by Burp for any S3 bucket links or headers.
Look for patterns such as:
- URLs containing “s3.amazonaws.com”
- Headers with “x-am-bucket”
For instance:
Also, the Burp plugin AWS Security Checks from the BApp Store can be really useful. The traffic analysis capabilities of Burp Suite allow for detailed scrutiny of web applications and potential S3 bucket discovery inside indirect or sub calls.
GitHub Recon Tools
There’s a treasure trove of S3 reconnaissance tools on GitHub. These tools range in functionality from scanning bucket names to checking for public accessibility and dumping contents.
S3Scanner: https://github.com/sa7mon/S3ScannerDumpster Diver: https://github.com/securing/DumpsterDiver
S3 Bucket Finder: https://github.com/gwen001/s3-buckets-finder
AWSInventorySync: https://github.com/foreseon/AWSInventorySync
Leveraging automated tools can vastly increase the efficiency and breadth of your reconnaissance. After running these tools, the next steps should involve assessing the identified buckets’ configurations, understanding the potential risks, and, if necessary, alerting the responsible parties.
Online Websites
Online resources can streamline the S3 bucket discovery process. Nuclei templates, specifically, are predefined patterns used to detect common vulnerabilities, including misconfigured S3 buckets.
For instance you can use:
Tools like OSINT.sh and GrayHatWarfare are tailor-made to simplify the search process, pulling from pools of data that might take an individual researcher considerable time to amass.
What’s more, the existence of SaaS services accessible with just three clicks shows just how widespread this attack is these days. Hackers have even developed automated programs for scanning and collecting objects publicly exposed in S3 buckets.
Regex Mastery
Mastering simple regex can be one of the most efficient ways to conduct S3 bucket reconnaissance. By chaining simple commands, you can create powerful searches.
Running Commands
Here’s how to use regex with curl to extract S3 bucket URLs from JavaScript files:
And for using subfinder and httpx:
The command-line outputs will typically provide you with raw URLs or status codes. A 200 status code on an S3 bucket URL, for example, indicates that the bucket is accessible.
Further exploration of these command-line techniques offers granular control over the reconnaissance process and can be customized for specific scenarios. The output from these commands must be carefully analyzed to distinguish between normal bucket usage and potential security risks.
Conclusion
Navigating the complexities of AWS S3 Enumeration is crucial for identifying and securing misconfigured S3 buckets, which are potential gateways to sensitive data exposure.
Identifying these vulnerabilities is only the first step. Action must be taken to mitigate these risks, ensuring data remains secure against potential breaches. This is where Resonance Security steps in.
Specializing in cloud security audits and penetration testing, we provide the expertise needed to protect and reinforce cloud environments against threats.
Resonance Security
For companies looking to enhance their cloud security posture, we offer tailored pentests & audits designed to meet the unique challenges of securing your cloud infrastructure. Learn more about how we can support your cloud security needs at Resonance Security.
In sum, the path to secure AWS S3 storage is multifaceted, demanding a proactive approach to security. With the right techniques and expert support, companies can navigate this landscape confidently, protecting their most valuable digital assets.
RELATED TOPICS
- Leaky database exposes fake Amazon product reviews scam
- 9,517 unsecured databases identified with 10 billion records globally
- US and China Exposed Most DBs Among 308,000 Discovered in 2021
- Lesson from Casio’s Data Breach: Database Security is a Major Challenge
- Misconfigured ElasticSearch Servers Leaked 579GB of Users’ Site Activity
As a Lead Security Engineer at Resonance Security, I play a pivotal role in shaping our cybersecurity landscape.