Download any organisation Data — S3 amazonaws Misconfiguration
Note — This Vulnerabilty not in Amazon AWS S3
My First post related to a Protonmail Stored XSS , so now here I’m Publishing my second blog post which recently found one of the private bug bounty website. Let’s start —
The vulnerability was very easy to exploit but it’s very hard to find the vulnerable point during checking many things i reached export feature of the website…according to the company it’s allow admin’s to download there organisations data in csv format. So…
It’s need little-bit intentions to reach the Vulnerable point
Steps to Reproduce the issue :-
- Login the account go to this page ( subdomain.example.com/members )
2. there right side option settings gear button click on it then > export members
3. Now website sent link to your registered email-id which is looks like
4. when i click the link then my organisation data download automatically
what’s going on —
5. if i change the id then it logout my account without any notification
So after some time i again checked the request and this time burp suite “HTTP history” Tab opened , and there was too many request going on when i clicked on the link i saw below request little-bit weird from another one’s so I checked the request why it’s different ? you will understand why this request got my intention ? You guys are smart so no need to explain further ! :)
Technical Information :
GET /uploads/export/file/29956/29956.csv HTTP/1.1
Are you notice what’s going on above request ?
No Session-key, Authentication key anything which verify the identity of previous user. So next you know that what can attacker do, change the id’s with other Organisation-Id and all the data in response !
P.S. Don’t know too much about it’s Amazon Misconfiguration or Developer mistake so don’t focus on title.
Thanks for Reading !
Follow me on Twitter if you want :)
26/10/2018 — Report Sent
26/10/2018 — Report Triaged
01/11/2018 — Report Resolved
01/11/2018 — Bounty $2000 and $500 Bonus