Feb 22, 2019

Subdomain Misconfiguration lead to AWS S3 Buckets Reader


Bug Type : Subdomain misconfiguration
Program : Private on HackerOne
Severity : P2 ( High
Bounty : 600$ + 200$ Bouns
Subdomain : images.example.com

How I found this Bug 
it was simple When I go direct to https://images.example.com I found it redirect to https://aws.amazon.com/s3/

So now I started to found the cname and it was
images.example.com  >  s3.amazon.com

Here was the bug I saw many companies use the same error 
Developers must add a white s3 Buckets list 

So now I can call any bucket on images.example.com

example : images.example.com/haron-bucket/

Steps to find This error very simple
 if the subdomain has this alias s3.amazonaws.com 
Try to add your bucket directly to subdomain 
example : subdomain.site.com/yourbucket/yourfile.html
if it run this is vulnerable if not so this mean developers added a white buckets list


Please see this Write Up for create your Bucket 


Share This
Previous Post
Next Post

Security Researcher at Many Websites - Bug Hunter - Civil Engineer Student

1 comment: