Open S3 Buckets Through Reconnaissance

Facundo Fernandez
3 min readAug 14, 2024

--

In my latest post, I shared my favorite 20 Google Dorks, check it out!!

If we haven’t connected on LinkedIn, make sure to connect with me!

As I was doing recon on a target I found a few S3 buckets, the purpose of the article is to show what I did and what you should do when you find a S3 Bucket.

Initial Access Attempt

C:\Users\1>aws s3 ls s3://-------------prod --recursive

That is the classic way to list the directory of a S3 bucket, however, that did not work. I got the classic:

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

This error indicated that access was restricted and I was unable to view the bucket’s contents using the default AWS CLI configuration.

Success with --no-sign-request

C:\Users\1>aws s3 --no-sign-request ls s3://-------------prod --recursive

This command allowed me to successfully list the contents of the bucket, revealing several files:

CASHCASHCASHCASHCASHCASHCASHCASH

Effective Dorking for Open S3 Buckets

In addition to direct bucket inspection, using dorking techniques can help locate exposed S3 buckets. Here’s a useful dork for finding potential S3 bucket exposures:

site:indeed.com ("s3 bucket" OR "bucket-name" OR "s3.amazonaws.com" OR "s3-us-west-2.amazonaws.com" OR "s3.amazonaws.com/bucket-name" OR "s3.amazonaws.com/bucket/" OR "s3.amazonaws.com/bucket?prefix=" OR "s3.amazonaws.com/bucket-name/")

This query targets pages that mention S3 buckets or contain patterns indicative of S3 resources. By analyzing search results, you can identify URLs that may point to open buckets.

What to Do When You Find an Open S3 Bucket

Finding an open S3 bucket can present both opportunities and challenges from a security perspective. Here’s a guide on what to do next:

1. Assess the Scope and Content

  • Explore Bucket Contents: Use tools like AWS CLI or other S3 browsers to list and review the files within the bucket. Check for sensitive or valuable data, such as personal information (PII), financial records, or proprietary documents.
  • Determine Access Level: Evaluate whether the bucket is fully open or if there are certain restrictions. Check if files are publicly accessible or if additional permissions are required.

2. Verify Sensitivity

  • Check Data Sensitivity: Identify if the exposed data is confidential or could be used for malicious purposes. Sensitive data could include authentication tokens, user credentials, or proprietary business information.
  • Consider Impact: Assess the potential impact of exposing this data. Determine if it could lead to security breaches, data leaks, or privacy violations.

3. Document Your Findings

  • Detailed Reporting: Document the findings, including bucket name, content overview, and access level. Take screenshots or logs of the exposed data and any interactions with the bucket.
  • Reproduce Steps: Include detailed steps on how you discovered and accessed the bucket. This helps in validating the vulnerability and provides a clear picture of the issue.

4. Responsible Disclosure

  • Notify the Owner: Reach out to the owner or administrator of the bucket to inform them of the exposure. Provide them with enough detail to understand the issue and take corrective actions.
  • Follow Up: Ensure that the bucket’s security is improved and that any exposed data is secured or removed. Confirm that the issue has been addressed and resolved.

5. Stay Ethical and Legal

  • Adhere to Guidelines: Follow ethical guidelines and legal standards when handling discovered vulnerabilities. Avoid using or exploiting the exposed data for any malicious purposes. Don’t be an idiot. Stay Ethical.
  • Report to Platforms: If applicable, report the issue to bug bounty programs or relevant platforms to receive recognition and assist in improving overall security.

Remember: Don’t be an idiot. Stay Ethical.

If we haven’t connected on LinkedIn, make sure to connect with me!

--

--

No responses yet