Hunting publicly accessible DigitalOcean Spaces for Pentesters
How to leverage DigitalOcean Spaces during reconnaissance
A few months ago DigitalOcean announced Spaces, an object storage service.
Spaces is a storage service like Amazon’s S3. Spaces provides interesting opportunities from reconnaissance and OSINT perspective.
What’s DigitalOcean Spaces?
DigitalOcean Spaces is an object storage service. Spaces allow users to store and serve large amounts of data.
Spaces are ideal for storing static, unstructured data like audio, video, documents, images and logs as well as large amounts of text.
Users can store Files in a “Space”. Each Space will get an unique, predictable URL and each file in a Space will get an unique URL as well. There are Access controls mechanisms available at both Space and file level.
DigitalOcean Spaces — OSINT angle
Spaces is a storage service where users can store large amount of data in various formats.
In our experience, given an option, users will store anything on third-party services, from their personal documents, passwords in plain text files to pictures of their pets.
Due to the nature of Spaces service, it is a treasure trove of information from an attacker/penetration tester perspective. Studies on services similar to Spaces like Amazon S3 have shown that a large numbers of buckets are poorly configured and are exposing sensitive data.
Hunting for publicly accessible Spaces
Block storage services like Amazon S3 and DO Spaces are accessible using a predictable URL. As a penetration tester you can use various sub-domain enumeration techniques to discover if an organisation is using a block storage service.
We wrote an extensive blog post on sub-domain enumeration techniques that you can use to find an organisation’s sub-domains and in turn any storage service that they are using on any of their sub-domains
Once you have identified a DO Space used by an organization, you’ll have to figure out he permissions of that Space. A Space is typically considered “public” if any user can list the contents of the Space, and “private” if the Space’s contents can only be listed or written by certain users.You’ll simply have to browse to the URL of a Space to check if it is public or private.
A public Space will list all of its files and directories to any user that asks.
We wanted to write a tool to find publicly accessible Spaces using a dictionary based approach, like “Bucket Finder” for S3 Buckets.
Fortunately, DigitalOcean provides a well documented XML API to interact with Spaces.
Spaces API aims to be interoperable with Amazon’s AWS S3 API.
Since, Spaces API is interoperable with Amazon’s S3 API, we decided to find and reuse an existing S3 Bucket enumeration tool by modifying it to work with Spaces.
AWSBucketDump by Jordan Potti is an open source tool that can look for publicly accessible S3 buckets using a dictionary approach, list all the accessible files on a public Bucket and download the files. We tweaked the tool to work with Spaces. Our tool, “Spaces finder”, is available on our github.
Conclusion
DigitalOcean Spaces is definitely an interesting service to look at while conducting reconnaissance. As DigitalOcean Spaces is a new service, we don’t find a lot of publicly accessible spaces or sensitive data on them yet but as the user base for Spaces grows, we’ll be definitely able to find all sorts of interesting data being hosted on publicly accessible Spaces.
References
Thank you for reading this article. If you enjoyed it please let us know by clicking that little clap icon below.
At Appsecco we provide advice, testing, training and insight around software and website security, especially anything that’s online, and its associated hosting infrastructure — Websites, e-commerce sites, online platforms, mobile technology, web-based services etc.
If something is accessible from the internet or a person’s computer we can help make sure it is safe and secure.
