How I earned $1,500 in just 15 mins due to Amazon S3 bucket misconfiguration?

Muhammad Asim Shahzad
Jun 16 · 5 min read

Hello everyone,

Assalam-o-Alaikum, This is Muhammad Asim Shahzad a.k.a protector47!

Today I am gonna share my another interesting finding through which I earned $1,500 in just 15 mins.

The target application was Dropbox, I mostly used DropBox for upload and sharing data because DropBox is one of the most secure and trusted platforms. But nothing is 100% secure :)

I am gonna share a vulnerability which only exists when some applications are using the third party CDN(Content Delivery Network) like Amazon and Cloudflare etc with ACL(Access control list) not properly configured.

What is Security misconfiguration?

Security misconfiguration is very common and can happen at any level of an application stack. If the security settings are misconfigured, threat agents — such as external attackers as well as authorized users — may attempt to compromise the system. Occasionally, such access results in a complete system compromise.

What is the Access Control List (ACL)?

An access control list, with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation.

What is Content Delivery Network?

A content delivery network or content distribution network is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and high performance by distributing the service spatially relative to end-users.

What is Amazon S3 bucket?

An Amazon S3 bucket is a public cloud storage resource available in Amazon Web Services’ (AWS) Simple Storage Service (S3), an object storage offering. Amazon S3 buckets, which are similar to file folders, store objects, which consist of data and its descriptive metadata.

I managed to find an Amazon s3 misconfigured bucket of DropBox which allows me to upload, view and delete any file placed on the bucket.

How to find S3 buckets of a target application?

There are multiple ways to find an associated Amazon s3 bucket of the target application, I will try to share all possible way to find the bucket of the target application.

Method # 1:

You can use many online tools which are available on GitHub to find S3 bucket of a website. I would like to list down a few of them:
1) Lazy S3
2) bucket_finder
3) AWS Cred Scanner
4) sandcastle
5) Mass3
6) Dumpster Diver
7) S3 Bucket Finder
8) S3Scanner

Almost all tools are command line tools, You have can clone them from GitHub.

Method # 2:

Check out the server information from wappalyzer (Google Extension) or via the response of any request for the target application. You can identify whether the target application is using Amazon to store data or not.

Method # 3:

Right click on any image of the target application and open image in new tab. If the image URL looks like this:

http://xyz.s3.amazonaws.com/campaign_body_images/images/ac99313b2e85b0dce2006fd997822b9c630cec3e/b1.gif

It means the target application is storing their data to the Amazon server and the bucket name is “xyz”. Anything before “.s3" in the URL is the bucket name of the target application.

Method # 4:

Use the BURP Suite and spider the target web application. BURP Spider plugin is one my favorite plugin it 100% extract the Amazon bucket of the target application.

Method # 5:

Check HTTP History in BURP Suite during interception and pentesting, BURP capture the Amazon bucket URL because the images fetch from the Amazon server when you open the website.

These are some common methods to identify the target application using Amazon CDN or not. If you guys know any other methods or tools then kindly share in the comment section to spread knowledge and make the internet safer.

How I earned $1,500 in just 15 mins?

To be very honest, It's hard to manage time for Bug Bounty with Job and if you want to do both things together then you need to be faster than anyone else.

Finally, I got a free weekend and I decided to do some Bug Bounty. I select DropBox and start working.

Always focus on subdomains of any target application, and try to enumerate the subdomains as much as you can. Because most of the critical vulnerabilities are triggered on website subdomain, Main/parent domain is obviously more secure than the application subdomains.

Most of the companies do not focus on their subdomains security, they put all the security control on their main/parent domain.

I just found a subdomain of DropBox that contains an image and when I open the image via direct link, then I observed It was uploaded on an Amazon bucket

The URL looked like:

http://xyz.s3.amazonaws.com/campaign_body_images/images/ac99313b2e85b0dce2006fd997822b9c630cec3e/b1.gif

then without wasting the time I opened AWSCLI on Kali Linux and try to upload/move the file to the DropBox amazon bucket and boooooom!!!

It was uploaded on DropBox amazon bucket and accessed via direct URL :-)

I was like:

Celebration time.

The whole working was done within 15 mins ahahahahah :)

I got the bounty of $1,500 from Dropbox in the next 3 hours!

How to exploit misconfigured Amazon buckets with AWSCLI?

First, you have to install AWSCLI on your Linux environment.

Here is the link below:

https://github.com/aws/aws-cli

Suppose the bucket name is “xyz”

How to list the content of a misconfigured Amazon Bucket?

Here is the command to list the content of Amazon bucket, It only works when target application does not disabled the directory listing of the Amazon bucket.

aws s3 ls s3://xyz

How to move or upload a file to a misconfigured Amazon bucket?

Here is the command to move or upload the file to Amazon bucket. It only works when proper ACL not applied.

aws s3 mv yourfile_path s3://xyz/test-file.txt

To verify you can access your file via direct URL The uploaded file may contain some malicious script, phishing login panels or any virus, etc

Remediation:

  1. Apply proper ACL, Disable writes permission to avoid uploading the file from an external user.
  2. Disable directory listing to avoid view the content of the Amazon bucket.
  3. Make sure to apply the proper policies on buckets and objects to handle the CORS request securely.

References:

Muhammad Asim Shahzad

Written by

Synack Red Team Member | Bug Bounty Hunter at HackerOne | Pentest Engineer at Trillium Information Security Systems.