Bug Bounty Hunting Tips #3 — Kicking S3 Buckets
--
There has been a lot of press recently about misconfigured Amazon S3 buckets leaking confidential information. The root cause of this is that in the past S3 buckets have been incredibly easy to misconfigure. Sometimes buckets are made web accessible by anyone. Other times buckets are web restricted but can be accessed through Amazon S3 API by any authorised user.
Due to the nature and number of these breaches, Amazon have recently released their Trusted Advisor service for S3 for free to everyone to try to crack down on the problem. The challenge now is getting people to look at the new output and make changes based on the feedback. In the meantime, let’s have some fun kicking over S3 buckets to see what bounties fall out.
Finding S3 Buckets
S3 buckets are all reachable via a web interface, whether access is permitted or not. The URL format is:
http://<bucketname>.s3.amazonaws.com
- or -
http://s3.amazonaws.com/<bucketname>
The naming convention for S3 buckets can be summarised as follows:
- Bucket names must be at least 3 and no more than 63 characters long.
- Bucket names must be a series of one or more labels. Adjacent labels are separated by a single period (.). Bucket names can contain lowercase letters, numbers, and hyphens. Each label must start and end with a lowercase letter or a number.
- Bucket names must not be formatted as an IP address (for example, 192.168.5.4).
This means that there is a finite number of S3 buckets possible, even if this number is very, very large. In theory, with enough time and resources, you could kick every possible bucket URL to see if they exist. If you did so you would get one of the following HTTP response codes for each request:
- 404 - bucket not found (bucket does not exist)
- 403 - bucket found but access denied via the web(bucket does exist! Make a note of this)
- 200 - bucket found and accessible via the web!
By kicking every possible URL you can get a complete list of all buckets that exist. Anything web accessible, go have a look and see what you can find. Anything not web accessible, fear not, there’s still more we can do later via the S3 API.
