search

Cloud

hashtag
AWS

hashtag
s3

disclosing bucket names

  1. Using Errors

If you find a static website hosted using s3 and want to find the orignal bucket name that's hosting the content , we can use the this scriptarrow-up-right to find the orignal bucket.

The screenshot below shows a website hosted on s3

To find the orignal bucket name RUN

It sends multiple request to endpoint with certain characters trying to error & leak the bucketname.

  1. With CNAME/NLOOKUP

The domain could just be an alias of the S3 endpoint

  1. FQDN

Another common setup, the fully qualified domain name (FQDN) could be the actual S3 bucket name. example, the FQDN in this case would be d278x994b7tw25.cloudfront.net, so we can try to check if it exists or not:

  1. internally redirection referencing the S3 bucket by URL path

hashtag
Google GCP

hashtag
Google storage(s3 equivalent of GCP)

If you find a static website hosted using google storage and want to find the orignal bucket name that's hosting the content , we can use the same scriptarrow-up-right to find the orignal bucket.

http://5fc0081be20b5faabf10b.ctf.hackaplaneten.se/xyzabc/okok?AWSAccessKeyId=AKIAIRD3G7SO7PDREOYA&Expires=1685104439&Signature=

this request with accessid without signature errors for gcloud and leaks the bucket

Refrences:

  1. https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/arrow-up-right

  2. payloadallthethings: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/AWS%20Amazon%20Bucket%20S3arrow-up-right

PreviousWEB

Last updated