AWS S3 is a key-value storage cloud service offered by Amazon. The keys and values (also known as objects) are created within globally unique namespaces called buckets. Each bucket is associated with an access control policy which dictates the rules for reading, writing and listing the bucket contents.
Needless to say, a poorly configured access control policy will allow attackers to read and write objects from a bucket. This attack vector has been well documented for a number of years although it was just recently that Amazon started paying attention and as a result published a new tool to discover poorly configured buckets automatically.
There are plenty of tools which will help you find s3 buckets and some of them are good although they may feel like magic if you don't dig into the code yourself. In this post, I will quickly demonstrate how to build your own tool using the secapps Fuzzer.
The Fuzzer
The secapps.com Fuzzer is a powerful request manipulation fuzzing tool which I find myself using on a daily basis. It helps me with not only discovering vulnerabilities in a targeted application but also doing Internet-wide research, which is something I will demonstrate some other time.
To get started with the Fuzzer, just open the tool from your launchpad. You can also explore the built-in documentation to get a feel on how to use it. Don't worry everything will be explained in this post.
The Setup
Before we proceed to configure the Fuzzer, let's have a quick discussion on what we are actually building here. As we mentioned earlier, s3 buckets are globally unique. This means that with the help of a good dictionary we can find a pretty good amount of them by brute force. The s3 bucket URL looks like this: https://<bucket name>.s3.amazonaws.com. All we have to do is to substitute the <bucket name> placeholder with a word and check the service response for clues.
A common words dictionary will serve us well but it is a bit too wide for my liking. In the majority of cases, you will be targeting a specific organisation and as such a common words dictionary will not produce interesting results. We need to build a different dictionary, perhaps one that contains different words combinations such as <org name>-<word> or <org name>.<word> and so on. This dictionary can be generated offline using standard Unix utilities but if we build it inside the fuzz configuration then we can also make it more customisable and reusable in other tasks.
Step 1
Open the Fuzzer and navigate to the variables tab. This is where we will build our tool using various reusable parts. In practice, we can build everything in the URL but that will make it a lot harder to play around with.
First, let's create some basic variables. The first variable is called sep for separators. The contents of this variable is a list which contains values such as -, ', etc.
We also need a second variable called dict for a dictionary. This variable contains a dictionary item. Select it from the drop-down menu. In this particular case, we will use the common.txt dictionary from dirbuster-ng.
Last but not least, we need a simple list where will keep all target names. For example, if we are targeting Acme Inc the list will be acme, acmeinc, acmeorg, etc. This will help us to widen the search a bit for better coverage.
Step 2
Now that we have all base variables we will build up all test phases, which are also variables. For example, we want to try one phase that just tests for the target name and another that combines the dictionary, separator and target name, etc.
In this example, we need 3 phases. Phase 1 is for the target name only. Phase 2 is for <dict><sep><target_names>. And Phase 3 is for <target_names><sep><dict>. Of course we can get as creative as required.
Step 3
Now that we have all phases laid out we need to combine them into the final variable. Let's call it bucket and create a list. This list includes all phase variables on a new line. Each variable will be progressively expanded as we iterate over the variable.
Step 4
We are almost done. The last thing to do is to put the bucket variable in the URL. Remember that the URL syntax is https://<bucket name>.s3.amazonaws.com. Simply replace <bucket name> with our bucket variable.
And now we are done. We can easily reconfigure our fuzzer by changing the dictionary, the separators or the target names and execute the fuzz over and over again until satisfied. Make that permutate attack technique is selected and press on the play button. You can also save your custom tool using the fiddles feature.
Conclusion
As you can see, it is relatively straightforward to build a general-purpose web security tool using the secapps Fuzzer. I have also made a quick video demonstrating all of the steps that we have covered above.
<iframe allowfullscreen="" frameborder="0" height="420" src="//www.youtube.com/embed/1fI44hIt3Pg?rel=0" width="100%"></iframe>
Let us know if you build your own tools.