AppSec Team Lead @ Kiwi.com (hiring Cloud Security Engineer)
OWASP Czech Chapter Leader (looking for sponsors and speakers)
Bug bounty hunter
Subpar Python dev
CTF player with TUNA team
Hacker then comes,
chooses the site to hack,
reports the findings,
and gets paid only for the valid bugs.
Companies improve their security.
Hackers can do what they love, on target of their choice, legally.
Software-as-a-Service (SaaS) platforms which offer a web application tailored to the needs of vulnerability disclosure.
$ aws s3 cp cat-image.png s3://cat-bucket 200 OK $ aws s3 ls cat-bucket # authenticated 2019-02-12 13:37:23 42 cat-image.png 2019-02-11 04:42:02 78 secret-dog-image.png
AWS S3 allows configuring public read, list and write... to bucket's ACLs
Example of public LIST/READ:
$ curl https://cat-bucket.s3.amazonaws.com # public LIST cat-image.png secret-dog.png ... $ curl https://cat-bucket.s3.amazonaws.com/secret-dog.png 200 OK... # public READ
For offense, you can use numerous OSS tools like goGetBucket
However, newly misconfigured buckets are now less prevalent as even AWS is finally waking up in the area of usable security 😢
... and most of the old buckets were already picked up by others
1. Optimize discovery
2. What about other object storage providers?
Use DNS instead of HTTP
Custom wordlists adjusted to the target
Use HEAD method if you need to use HTTP
Check all permissions (READ_ACP or WRITE_ACP are often forgotten)
|AWS||✓||✓||✓||✓||✓||Good warnings (now), notification emails, bucket-only policy|
|Google Cloud||✓||✓||✓||✓||✓||Great warnings, bucket-only policy, write "AllUsers" instead of checkbox|
|Microsoft Azure||✓||✓||Okay-ish warnings, (paid) ML addon to detect compromise|
|DigitalOcean||✓||✓||via API||via API||via API||Okay-ish warnings, but setting LIST via API won't show in UI 😈 (Won't fix)|
|Alibaba Cloud||✓||✓||No public LIST 👏|
|Oracle Cloud||✓||✓||Not the best UI, but very difficult to enumerate valid buckets|
MongoDB, Kibana, Jenkins, internal apps, ...
Mistakenly exposed services are far more common than you would think :-)
We find that
not only is secret leakage pervasive – affecting over 100,000 repositories – but that thousands
unique secrets are leaked every day.
show that TruffleHog is largely ineffective at
detecting secrets, as its algorithm only detected 25.236% of
the secrets in our Search dataset and 29.39% in the BigQuery
Blog with some more research will be published on masarik.sh soon
Read the full thesis on is.muni.cz/th/de05t/master_thesis_final.pdf