At the end of this presentation, audience will be aware of the following topics.
1. Introduction to AWS
2. Accessing AWS console via cli.
3. Launching and logging into an EC2 instance
4. Creating a S3 bucket and uploading an image.
5. Security misconfigurations in S3 bucket.
6. Subdomain takeover via S3 bucket.
7. Hardcoded AWS credentials in github.
8. Aasna AWS credentials leak using pixel flood attack
9. Murder in the cloud - Codespace hack
n|u - The Open security community
Presenter : Vinoth Kumar
Date : 18/03/2017
# About Me
Application security engineer @ Freshdesk
Blogger @ http://www.tutorgeeks.net
Email @ email@example.com
What is AWS
Amazon Web Services (AWS) is a “secure“ cloud services platform, offering compute
power, database storage, content delivery and other functionality to help businesses scale
Getting started with AWS
Create an account in AWS and start playing with their services -
Valid Credit card is required for account creation.
No need for a Infrastructure capability - Cost saved
No need for more employee resources - Cost saved
Helps in obtaining industry certifications like ISO 270001, etc in ease - Less tension :)
Accessing AWS using CLI
The AWS Command Line Interface is a unified tool to manage your AWS services.
pip install awscli
python setup.py install
AWS Access Key ID: ←---------------------->
AWS Secret Access Key: ←---------------------->
Default region name [us-west-2]: us-west-2
Default output format [None]: json
AWS S3 - Internet’s hard drive is down
AWS S3 service was down on Feb28th. What exactly happened?
Human Error - Accidentally deleted 2 main servers supporting S3 operation.
S3 outage affected other AWS services like ELB, IOT etc., which depends on S3.
EC2 Instance IP disclosure
1. Send a GET request to example.com
2. Change the HTTP version from 1.1 to 1.0
3. Remove the HOST header. ( Since HTTP 1.0 doesn’t require a HOST header. Source - Web application
hacker’s handbook )
4. Add a traversal attack ( GET /.. ) and forward the request.
5. Observe the IP being disclosed in the location header.
S3 Bucket Misconfiguration
Vulnerability : “Write access to any AWS Authenticated user”
Vinoth:~ aws s3 mv malicious.bat s3://bucketname
move. ./malicious.bat s3://bucketname/malicious.exe
The issue has been reported and it is fixed.
Vinoth:~ vinoth$ aws s3 mv demo.txt s3://bucketname
move failed: ./demo.txt to s3://bucketname/demo.txt An error occurred (AccessDenied) when calling the PutObject
operation: Access Denied
S3 Bucket - Subdomain takeover
Enumerate the subdomains. It’s not so difficult to hit this command - knockpy example.com
Keep an eye for the following error messages while viewing the subdomains - “No such bucket” /
“Bucket doesn’t exist”
Investigate the subdomain - dig / nslookup subdomain.example.com
subdomain.example.com CNAME “bucketname.s3.amazonaws.com”
Create the above bucket in your AWS and host your subdomain takeover page.
Now “subdomain.example.com” will show your hosted page.
Asana - AWS key disclosure
Uploaded 65000x65000 pixel image in the profile picture.
S3 Bucket couldn’t accommodate the huge pixel image.
Error message is shown along with AWS Access and Secret key.
Bounty awarded : 500 USD
AWS Keys Exposed
Developers by mistake hardcode their AWS credentials in github.
Murder in the cloud
Code space - AWS Root credentials were hacked.
Attacker asked for Ransom - Code Space refused.
Attacker got frustrated and deleted their AWS account.
Unfortunately, their backup data was also stored in their AWS account.
Codespace was shut down completely. No means of retrieving the data.
Key takeaways : Have offsite backup.
Resources for Learning AWS Security
https://aws.amazon.com/blogs/security/ - Official AWS security blog.
http://flaws.cloud - CTF Challenge to learn AWS security.