BOOK THIS SPACE FOR AD
ARTICLE ADIntroduction
Bug bounties have become an exciting way for security researchers to help secure digital platforms while getting rewarded for their efforts. In this write-up, I will share how I identified and exploited an Amazon S3 bucket takeover vulnerability as part of Red Bull’s bug bounty program, and how it led to a rewarding discovery.
The Journey Begins: Setting Up Domain Monitoring
The Red Bull bug bounty program offers a well-defined scope, which includes several domains that security researchers are allowed to test. One of the critical steps in my approach was to set up a domain monitoring script, designed to track any changes in the program’s scope. I asked ChatGPT to create this domain monitoring script to ensure that I could efficiently track any updates or modifications to the scope.
The Script
import requestsimport time
API_TOKEN = 'Your_Telegram_Bot_API_Token'
CHAT_ID = 'Your_Telegram_Chat_ID'
GIST_URL = 'https://gist.githubusercontent.com/RedBullSecurity/3eb88debcb01759eccf65ec2b799b340/raw/redbull-bug-bounty-scope-rb-only.txt'
previous_urls = []
def send_telegram_message(message):
url = f'https://api.telegram.org/bot{API_TOKEN}/sendMessage'
data = {'chat_id': CHAT_ID, 'text': message}
requests.post(url, data=data)
while True:
response = requests.get(GIST_URL)
current_content = response.text
current_urls = current_content.splitlines()
new_urls = [url for url in current_urls if url not in previous_urls]
deleted_urls = [url for url in previous_urls if url not in current_urls]
if new_urls:
new_message = "New URLs added:\n" + "\n".join(new_urls)
send_telegram_message(new_message)
previous_urls = current_urls
if deleted_urls:
deleted_message = "URLs deleted:\n" + "\n".join(deleted_urls)
send_telegram_message(deleted_message)
previous_urls = current_urls
time.sleep(60) # Check every 1 minute
This script worked seamlessly on my VPS, sending notifications via Telegram whenever there was a change in the scope. This is an important aspect of bug hunting, as programs often update their scope, and missing out on those updates can mean missing out on vulnerabilities.
The next morning, my script flagged a newly added domain. This was my moment to dive deeper into this new subdomain and assess any potential security issues. It didn’t take long before I identified that an Amazon S3 bucket associated with this domain was misconfigured.
Exploitation: The S3 Bucket Takeover
Upon identifying the S3 bucket, I tested for common misconfigurations such as public write permissions. The bucket turned out to be vulnerable, allowing me to take over it completely. Here are the steps I followed:
Enumerating S3 Buckets: Using tools like awscli, I enumerated the permissions associated with the bucket.Testing for Vulnerability: I found that the bucket allowed public write access, which meant I could upload arbitrary files.Confirming Takeover: By uploading a simple HTML file and accessing it publicly, I confirmed the vulnerability.Reporting and Reward
Once I confirmed the vulnerability, I immediately reported it to Red Bull’s security team. The responsible disclosure process went smoothly, and I was rewarded with three trays of Red Bull as a token of appreciation!
Conclusion
This experience highlights the importance of monitoring scope changes and the potential that lies in seemingly small misconfigurations. The automation script played a crucial role in helping me identify the vulnerability quickly, demonstrating the power of combining scripting with security research.
If you’re interested in bug bounties, always stay updated with scope changes, and don’t forget to automate where possible — it could lead to your next big find!
LinkedIn : https://www.linkedin.com/in/mohamed-saqib/