BOOK THIS SPACE FOR AD
ARTICLE ADThis is going to be the first blog of my bug hunting journey. As many of you are hunting for bugs in different bug hunting forums, I feel that sharing knowledge is like giving back to the security community which has given me a great platform to learn and grow.
I would like to thank everyone who has put extra effort to contribute to the community and help secure the internet from attacks.
In my initial phase of hunting for bug bounties, I was working on a gaming target and able to find out the simple but severe vulnerability in that platform. Let us check how did I enumerate and identified the issue.
AWS S3 bucket enabled for public access:
Enumeration:
Enumeration is the key to open wide our strategy and try to hack the application. As part of the initial enumeration phase, I was enumeration for a list of valid subdomains existing for the particular targets.
There are a plethora of tools available to identify subdomains for a particular target. Let me list down a few of them here for your reference.
Using the above tools the list of valid subdomains can be identified quickly. Now, I have a list of subdomains.
I was thinking of choosing a target subdomain to start the attacking methods. However, I wanted to run an automation script on the side which can identify other sorts of vulnerabilities in the application. So, my first go was to find out whether any cloud storage is being used or not. I started my enumeration for finding any AWS S3 bucket.
Note: One can use any list of regular expressions/subdomains list for enumerating AWS S3 buckets. Because most of the time organizations might use valid and reasonable naming conventions for S3 buckets. In my case, I have used a list of subdomains for finding AWS s3 buckets.
Tools to identify AWS s3 buckets:
Steps:
Download the S3scanner tool from the link: https://github.com/sa7mon/S3ScannerRun it for s3 bucket identification.Note: Merely finding the S3 buckets alone might not be accepted as a valid bug. I would suggest you to try read/write access in the bucket to showcase the impact of the vulnerability
3. Once the bucket is identified, try to upload/read a file from the bucket. Here, in this case, I have created an empty file and tried to upload it to the bucket and it was successful.
I immediately reported this issue and it was accepted as a valid bug.
Make sure all the Amazon S3 buckets you are using are marked as private.
Please like, share and support if you like this blog.