Member-only story
S3 Bucket Takeover: Discovering a Bucket Inside a Bucket for $1000
In this article, I will write about a security vulnerability I found in a private program associated with the HackerOne platform and highlight the key points we need to focus on. Let’s call the company XYZ.
In the XYZ company, the scope was extended to include all subdomains of xyz.com (*.xyz.com). The first step here will be to find all subdomains. There are many tools available for this purpose, and I used the subfinder tool to find approximately 250 subdomains.
Our next step is to examine each of these sites in detail. I use a Chrome extension that can open all the domains I’ve found at once, and I start checking all the subdomains. Later, on the subdomain abc.xyz.com, we notice that an AWS S3 bucket is running. When we see that read permissions are not restricted, meaning it is public, we consider the possibility of sensitive information leakage and immediately start looking at the files inside. After running the following command on AWS CLI, we confirm that the bucket is public. Not only “ls” and also I tried other things too.
aws s3 ls abc.xyz.comLater, when I looked under the “samples” folder, I found around 20 test projects. These were different web applications where login and some tokens were being tested.
aws s3 ls abc.xyz.com/samples/After I started browsing through them one by one, a block of code in the JavaScript code found in the page source of one…
