🎯Attacks, Techniques, and Tools
Tools and techniques for attacking, exploiting, and enumerating AWS S3
Code Injection
If an S3 bucket hosting a static website permits the mv
command, someone could maliciously replace the webpage with another.
Identify S3 Bucket Names
Since all S3 buckets have a unique URL, they can automatically be discovered.
cloudenum.py
cloudenum.py works by brute-forcing bucket names and informing if the bucket is real or not based on HTTP status codes. If a bucket is discovered, it attempts to list its contents s3:ListBucket
.
Subdomain Takeover
S3 buckets can host static websites and leverage a domain name by having an associated CNAME record configured. This allows you to go to to mywebsite.com
instead of https://mywebsite.s3.amazonaws.com
. However, if the bucket is deleted but the CNAME still exists, an attacker can create a new bucket and website, effectively routing any traffic to the attackers website.
This attack can be discovered while navigating to a domain and receiving a 404 error along with the code NoSuchBucket
. The examples below show a bucket without a CNAME record but the same error messages would show regardless.
Exploit
Last updated