.png)
6 months ago
43 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello fellow hacker, hope you’re doing well. In this write-up, I’ll discuss a bug I’ve discovered across multiple AWS URL within a private bug bounty program on Bugcrowd.
As part of my standard procedure for identifying vulnerabilities, I begin by focusing on areas highlighted by the company. For instance, in the program where I discovered this bug, they specifically mention :
Focus Areas Cross-customer access
Remote code execution
Malicious uploads
Authentication/Authorization issues
SAML implementation flaws
Insecure direct object references
Vulnerabilities that expose confidential client data
AWS platform configuration issues
No credentials were provided by the program. Thus, as with any attacker, enumeration is crucial. While examining their main website and inspecting in the debugger, I discovered that the website was communicating with multiple AWS endpoints. Selecting one, I attempted to enumerate various AWS issues such as index listing, but without success.
I then opted for a brute force attack on that instance, hoping to uncover something of interest. Indeed, my efforts bore fruit — I stumbled upon a DS_Store file.
Alright, so the .DS_Store file contains 100 entries! What if each of these entries also contains a .DS_Store file, and so on? Sounds like a promising idea, doesn’t it? But should I search for it manually? Of course not! Python comes to our rescue. The following command is used to extract the directories inside this .DS_Store file. You can find the script on GitHub: https://github.com/gehaxelt/Python-dsstore
┌──(root㉿kali)-[~]
└─# python3 main.py .DS_Store.23
Count: 79
.
.
.
.
19_0902_2014.pdf
19_1205_2013.pdf
29–3914.pdf
There was other Directories inside this DS_Store file, i prefer to not disclose them as it may lead directly to the name of the company. Anyway the other directories contained DS_Store file , so i made a script to check one by one and the result was as follow :
import requests#colors
GREEN = '\033[92m'
RED = '\033[91m'
RESET = '\033[0m'
def check_ds_store(url):
response = requests.head(url)
if response.status_code == 200:
return True
else:
return False
def main():
filename = input("Enter the name of the file containing directory names: ")
try:
with open(filename, 'r') as file:
directories = file.readlines()
except FileNotFoundError:
print("File not found.")
return
base_url = "https://x.x.x.com"
found_directories = []
for directory in directories:
directory = directory.strip()
ds_store_url = base_url + directory.strip("/") + "/.DS_Store"
if check_ds_store(ds_store_url):
print(f"{GREEN}DS_Store found in {directory}{RESET}")
found_directories.append(directory)
else:
print(f"{RED}DS_Store not found in {directory}{RESET}")
# Save found directories to a file
with open('ds_found.txt', 'w') as found_file:
for directory in found_directories:
found_file.write(directory + '\n')
if __name__ == "__main__":
main()
I was able to uncover several sensitive pieces of information, such as documents and a login page with only client-side authentication. This allowed me to bypass the authentication process. Upon reporting it, the team acknowledged the issue as a P3.
Thanks For reading ❤ :)
Discord: yassineakr
Linkedin: Yassine Akrachli
Bengali (Bangladesh) · 
English (United States) ·