# S3

## Simple Storage Service (S3) <a href="#simple-storage-service-s3" id="simple-storage-service-s3"></a>

<figure><img src="https://3344169606-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjoHbOFRbwrmbD6PvIUkf%2Fuploads%2FqCA0WoIIVM9FQ0SKp46Y%2Fimage.png?alt=media&#x26;token=d9f43a57-33bf-457c-97fa-b612a62ce21f" alt=""><figcaption></figcaption></figure>

| Content                             |
| ----------------------------------- |
| 📚 What is S3 Bucket                |
| 🤔 Why S3 Misconfiguration Happen ? |
| 💥 Exploitation                     |
| ⚔ Impact                            |
| 🔎 How To Find                      |
| 🛠 Tools                            |
| ⚙ Remediation                       |
| 📕 Referance                        |

### 📚 What is S3 Bucket <a href="#what-is-s3-bucket" id="what-is-s3-bucket"></a>

#### What is AWS? <a href="#what-is-aws" id="what-is-aws"></a>

**AWS** stands for **A**mazon **W**eb **S**ervices which is a secure cloud services platform, offering compute power, database storage, content delivery and other functionalities.

#### What is Amazon S3 ? <a href="#what-is-amazon-s3" id="what-is-amazon-s3"></a>

Amazon **S3** (Simple Storage Service) is one of the popular and widely used storage services. Many companies are using **S3** buckets to store their assets such as user profile pictures, static resources, and anything as per their business logic and needs.

Files can be served either privately (via signed URLs) or publicly via an appropriately configured ACL (Access Control List) or ACP (Access Control Policy).

Like:

***

### 🤔 Why S3 Misconfiguration Happen ? <a href="#why-s3-misconfiguration-happen" id="why-s3-misconfiguration-happen"></a>

#### S3 Attacks <a href="#s3-attacks" id="s3-attacks"></a>

We will go through the specifics of each level and identify the dangerous cases where weak ACLs can create vulnerable configurations impacting the owner of the S3-bucket and/or through third party assets used by a lot of companies.

However, if the buckets are not configured properly, or are unclaimed, an attacker can probably perform some mischievous actions such as

1. **S3 Bucket Takeover**
2. **S3 Content Takeover**

***

### 💥 Exploitation <a href="#exploitation" id="exploitation"></a>

#### Requirements <a href="#requirements" id="requirements"></a>

To test for the access controls of the S3 Bucket, the best way is to use, AWS CLI and default commands.

1. **Install** [**AWS CLI**](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)**.**
2. **Check whether it is perfectly installed or not.**
3. **Then you can make aws account and Provide AWS ACCESS Key & Secret to configure AWS CLI.** **You can watch this** [**video**](https://www.youtube.com/watch?v=HCl2_FzMxAg) **Steps.**
4. **Add Provide AWS ACCESS Key & Secret to configure AWS CLI.**

#### Basic tests <a href="#basic-tests" id="basic-tests"></a>

1. Checking for S3 Open Buckets & Finding bucket name
2. Using **AWS CLI** to Check S3 Bucket Access Controls
3. Increasing Impact by looking at all C.R.U.D (**Create**, **Read**, **Update** & **Delete**) actions.

**Listing files**

**Move a file into the bucket**

**Download every thing**

**Delete Files**

#### Subdomain takeover - S3 bucket <a href="#subdomain-takeover---s3-bucket" id="subdomain-takeover---s3-bucket"></a>

S3 buckets are spawned out of storage requirements and are bound to a particular domain. Sometimes these buckets are not deleted after they have served their purpose which may escalate to a complete takeover of a subdomain of the host. Consider the following example:

An S3 bucket may be created and its URL (<http://storage.example.com.s3-website.ap-south-1.amazonaws.com>) may be bound to a subdomain(Eg: “<https://storage.example.net”>.) belonging to the organization to obfuscate the AWS S3 URL. This is done by adding an alternate domain name(CNAME).

Later when this bucket is deleted from AWS S3, but the CNAMEs record in the Route53 is not removed, an attacker may create an AWS S3 bucket with the same name and the malicious contents of this bucket will be served on the victim’s domain(eg: storage.example.net), Hence taking over the subdomain.

**Identifying this Vulnerability** The first step in identifying this vulnerability is looking for an error page that has the message “404 Not Found” and the message “NosuchBucket”.

Or from [**EdOverflow**](https://github.com/EdOverflow/can-i-take-over-xyz)

| AWS/S3 | Vulnerable | `The specified bucket does not exist` |
| ------ | ---------- | ------------------------------------- |

![](https://i.imgur.com/9BiWz1x.png)

***

### ⚔ Impact <a href="#impact" id="impact"></a>

**Possible vulnerabilities:**

1. **Reflected XSS.**
2. **Stored XSS / asset control.** HTML-file.
3. **Denial of server.**
4. **Information Disclosure.** If we can list objects we might find sensitive information.
5. **RCE.** If the bucket contains modifiable executables this can result in Remote Code Execution (RCE) depending on where the executables are being used and if/by whom they are being downloaded.

***

### 🔎 How To Find <a href="#how-to-find" id="how-to-find"></a>

#### FFUF <a href="#ffuf" id="ffuf"></a>

```ruby=
ffuf -u http://FUZZ.s3.amazonaws.com -w  subdomains.txt | anew -a s3_buckets_subs.txt
ffuf -u http://s3.amazonaws.com/FUZZ -w  subdomains.txt | anew -a s3_buckets_dirs.txt
```

You can put this in your recon after get subdomains steps or just using one of Tools Below

Follow Twitter #BugBountyTips hashtag to get new tricks to find an s3 bucket during your Recon or by using Automated Tools like:

**Lazy S3**,**S3Scanner**,**S3 Bucket Finder** & **Mass3**

***

### 🛠 Tools <a href="#tools" id="tools"></a>

[**Lazy S3:**](https://github.com/nahamsec/lazys3) A Ruby script to brute force for AWS s3 buckets using different permutations.&#x20;

\
[**Mass3:**](https://github.com/smiegles/mass3)Quickly enumerate through a pre-compiled list of AWS S3 buckets using DNS instead of HTTP with a list of DNS resolvers and multi-threading.

[**S3 Bucket Finder:**](https://github.com/gwen001/s3-buckets-finder) PHP tool to brute force Amazon S3 bucket ز

[**S3Scanner:**](https://github.com/sa7mon/S3Scanner) A tool to find open S3 buckets and dump their contentsز

***

### ⚙ Remediation <a href="#remediation" id="remediation"></a>

Make sure all the Amazon S3 buckets you are using are marked as private.

***

### 📕 Referance <a href="#referance" id="referance"></a>

[**PayloadsAllTheThings**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/AWS%20Amazon%20Bucket%20S3)\
\
[**janijay007**](https://medium.com/@janijay007/s3-bucket-misconfiguration-from-basics-to-pawn-6893776d1007)\
\
[**detectify**](https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/?utm_source=blog\&utm_campaign=s3_buckets) \
\
[**pravinponnusamy**](https://pravinponnusamy.medium.com/bug-hunting-aws-s3-bucket-public-read-write-permissions-enabled-477cc246e60e)\
\
[**Harsh Bothra**](https://infosecwriteups.com/s3-bucket-misconfigured-access-controls-to-critical-vulnerability-6b535e3df9a5)\
\
[**EdOverflow**](https://github.com/EdOverflow/can-i-take-over-xyz/issues/36)