Coder Social home page Coder Social logo

virtuesecurity / aws-extender Goto Github PK

View Code? Open in Web Editor NEW
241.0 8.0 51.0 4.87 MB

AWS Extender (Cloud Storage Tester) is a Burp plugin to assess permissions of cloud storage containers on AWS, Google Cloud and Azure.

License: MIT License

Python 99.03% HTML 0.01% CSS 0.77% TeX 0.02% JavaScript 0.18%

aws-extender's Introduction

AWS Extender

This Burp Suite extension can identify and test S3 buckets as well as Google Storage buckets and Azure Storage containers for common misconfiguration issues using the boto/boto3 SDK library.

How to install

You can install this extension directly from the BApp Store or manually by cloning this repo and following these steps:

  1. Open the Burp Suite Extender tab.
  2. Open the "Options" subtab.
  3. Set the "Folder for loading modules" setting to the pathname of the "BappModules" folder.
  4. Open the "Extensions" subtab.
  5. Click "Add" and set "Extension type" to "Python".
  6. Set "Extension file (.py)" to the pathname of the "main.py" file and click Next.

Extension Settings

The settings tab provides the following settings:

Settings Tab

Below is a description of each:

Setting Description Required
AWS Access Key Your AWS account access key ID True*
AWS Secret Key Your AWS account secret key True*
AWS Session Key A temporary session token False
GS Access Key Your Google account access key ID True*
GS Secret Key Your Google account secret key True*
Wordlist Filepath A filepath for a wordlist of filenames False
Passive Mode Perform passive checks only N/A
SSL Verification Enable/disable SSL verification N/A

Notes:

  • AWS keys can be obtained from your AWS Management Console. For Google Cloud, see the documentation. Note that AWS/GS keys are only required for authenticated tests; if no keys are provided, only unauthenticated tests will run.

  • When SSL verification is enabled, buckets with a dot in their name will not be thoroughly tested due to SSL verification errors in boto (see: /boto/boto/issues/2836). You can either disable SSL Verification to test these (not recommended) or use this command-line script to test such buckets (/VirtueSecurity/aws-extender-cli).

  • It might be advisable to enable the "Passive Mode" option when testing on production environments in order to avoid any potentially disruptive bucket misconfiguration checks (see: #4).

Screenshots

S3 Bucket Misconfiguration

S3 Signed URL Excessive Expiration Time

GS Bucket Misconfiguration

Disclaimer:

Developers assume no liability and are not responsible for any misuse or damage caused by this tool. Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws.

aws-extender's People

Contributors

0xsobky avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

hax0rg1rl zigmax expertasif user-nobody sajibekanti jaikishantulswani michalkoczwara cclauss 0xsobky kbahaxor opt9 ellerbrock cloud-architecture ninjakatz84 techlord-rce pwneddesal andyzhuang portswigger 0patch joannebester spetr0x rongqinglee slivtamere tuian bluszcz gorecx mluqman31 star-bob m00zh33 crypto-breaker limkokholefork bbhunter noraj jackchan1024 canwe kbroughton bhasbor evrohachik jonz-secops 5l1v3r1 digitalarche swastikdey175 kaulanab polling-repo-continua magnologan arukaminado 3rd3yetechguy saurabhsam96216 cohernandez chriss-0x01

aws-extender's Issues

show one issue

Hi Guys,

I've noticed that it shows the same bucket it's found a few times.

Is it possible to have it list each unique bucket name and then inside the advisory the list of the URL of where it found the s3 bucket referenced?

Improve S3 buckets detection

Hey,

I have the current test file, attached.
index_nosecrets.txt

flaws.cloud.s3.amazonaws.com indicates that this might be a bucket, but doing
aws s3 ls s3://flaws.cloud.s3.amazonaws.com returns no such bucket.

However, doing:
aws s3 ls s3://flaws.cloud successfully connects to it:
2017-03-14 03:00:38 2575 hint1.html 2017-03-03 04:05:17 1707 hint2.html 2017-03-03 04:05:11 1101 hint3.html 2018-07-10 17:47:16 3082 index.html 2018-07-10 17:47:16 15979 logo.png 2017-02-27 01:59:28 46 robots.txt 2017-02-27 01:59:30 1051 secret-dd02c7c.html

My suggestion is to improve this detection, by e.g. making use of Patrick's regex's:
{bucketname}.s3.amazonaws.com
^[a-z0-9\.\-]{0,63}\.?s3.amazonaws\.com$

{bucketname}.s3-website(.|-){region}.amazonaws.com (+ possible China region)
^[a-z0-9.-]{3,63}.s3-website.--\w{2,14}-\d{1,2}.amazonaws.com(.cn)?$

{bucketname}.s3(.|-){region}.amazonaws.com
^[a-z0-9.-]{3,63}.s3.--\w{2,14}-\d{1,2}.amazonaws.com$

{bucketname}.s3.dualstack.{region}.amazonaws.com
^[a-z0-9.-]{3,63}.s3.dualstack.(eu|ap|us|ca|sa)-\w{2,14}-\d{1,2}.amazonaws.com$`

Cheers

cloudfront - Buckets not detected

Hi Guys,

d3e1078hs60k37.cloudfront.net - shows a bucket directory listing for manyvids-site-data

I noticed it was not picked up by the extension is it possible to get it detect this sort of thing?

i am thinking the moment burp detects

ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Name>manyvids-site-data</Name>

it should pick up it's an s3 bucket and test it.

Capture.png

GS (Access/Secret) Keys Required

Hi,

I am curious as to why the Google keys are required to be entered if I only need to test s3 buckets. Please let me know if I am missing something.

Thanks.

[Notification]

Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.

What is Rawsec's CyberSecurity Inventory?

An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.

  • Open source: Every information is available and up to date. If an information is missing or deprecated, you are invited to (help us).
  • Practical: Content is categorized and table formatted, allowing to search, browse, sort and filter.
  • Fast: Using static and client side technologies resulting in fast browsing.
  • Rich tables: search, sort, browse, filter, clear
  • Fancy informational popups
  • Badges / Shields
  • Static API
  • Twitter bot

More details about features here.

Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.

Why?

  • Specialized websites: Some websites are referencing tools but additional information is not available or browsable. Make additional searches take time.
  • Curated lists: Curated lists are not very exhaustive, up to date or browsable and are very topic related.
  • Search engines: Search engines sometimes does find nothing, some tools or resources are too unknown or non-referenced. These is where crowdsourcing is better than robots.

Why should you care about being inventoried?

Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.

Badges

The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.

Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that Rawsec's CyberSecurity Inventory, but there are several styles available.

So what?

That's all, this message is just to notify you if you care.

File upload only - down as low severity

Hi Guys,

Found a bucket that it shows will allow uploads but showing as a low severity

Capture.png

while not being able to list everything upload is still just as bad as you can overwrite files and cause mayhem.

Burp 1.7.30 - no longer detecting s3 buckets

Hey guys,

Did the usual upgrade and the plugin does not appear to detect any s3 buckets?

This is on Mac and Windows.

Example after doing a active scan against these buckets.

Capture.png

It still is not flagging in the issues area.

Nothing on my machines have changed and the keys do work i am using.

it is the same with azure buckets etc.

Can you please test and confirm?

Feature Request - Subdomain take over / NoSuchBucket

Hey Guys,

I love this plugin i really really do.

Would it be possible to add a feature where if it detects when scanning subdomain.example.com and see's

<Error>
<Code>NoSuchBucket</Code>
<Message>The specified bucket does not exist</Message>

it warns that it may be possible to take over the subdomain by creating a bucket with that name?

a lot of errors in Errors tab 

at boto3.s3.transfer$py.call_function(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/boto3/s3/transfer.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:431)
at org.python.core.__builtin__.__import__(__builtin__.java:1232)
at org.python.core.imp.importFromAs(imp.java:1156)
at org.python.core.imp.importFrom(imp.java:1132)
at boto3.s3.inject$py.f$0(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/boto3/s3/inject.py:615)
at boto3.s3.inject$py.call_function(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/boto3/s3/inject.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.imp.createFromCode(imp.java:436)
at org.python.core.imp.createFromPyClass(imp.java:236)
at org.python.core.imp.createFromPyClass(imp.java:205)
at org.python.core.imp.loadFromSource(imp.java:651)
at org.python.core.imp.find_module(imp.java:543)
at org.python.core.PyModule.impAttr(PyModule.java:106)
at org.python.core.imp.import_next(imp.java:842)
at org.python.core.imp.import_logic(imp.java:904)
at org.python.core.imp.import_module_level(imp.java:978)
at org.python.core.imp.importName(imp.java:1062)
at org.python.core.ImportFunction.__call__(__builtin__.java:1280)
at org.python.core.PyObject.__call__(PyObject.java:461)
at org.python.core.PyObject.__call__(PyObject.java:465)
at boto3.utils$py.import_module$2(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/boto3/utils.py:53)
at boto3.utils$py.call_function(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/boto3/utils.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:138)
at org.python.core.PyFunction.__call__(PyFunction.java:413)
at boto3.utils$py._handler$4(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/boto3/utils.py:63)
at boto3.utils$py.call_function(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/boto3/utils.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyFunction.function___call__(PyFunction.java:471)
at org.python.core.PyFunction.__call__(PyFunction.java:466)
at org.python.core.PyFunction.__call__(PyFunction.java:461)
at org.python.core.PyObject._callextra(PyObject.java:601)
at botocore.hooks$py._emit$15(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/botocore/hooks.py:214)
at botocore.hooks$py.call_function(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/botocore/hooks.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:161)
at org.python.core.PyFunction.__call__(PyFunction.java:434)
at org.python.core.PyMethod.__call__(PyMethod.java:156)
at botocore.hooks$py.emit$16(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/botocore/hooks.py:227)
at botocore.hooks$py.call_function(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/botocore/hooks.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at botocore.client$py._create_client_class$5(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/botocore/client.py:95)
at botocore.client$py.call_function(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/botocore/client.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:170)
at org.python.core.PyFunction.__call__(PyFunction.java:434)
at org.python.core.PyMethod.__call__(PyMethod.java:156)
at botocore.client$py.create_client$3(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/botocore/client.py:79)
at botocore.client$py.call_function(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/botocore/client.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at botocore.session$py.create_client$46(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/botocore/session.py:862)
at botocore.session$py.call_function(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/botocore/session.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at boto3.session$py.client$14(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/boto3/session.py:258)
at boto3.session$py.call_function(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/boto3/session.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:223)
at org.python.core.PyObject._callextra(PyObject.java:601)
at boto3$py.client$4(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/boto3/__init__.py:83)
at boto3$py.call_function(/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/boto3/__init__.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyFunction.function___call__(PyFunction.java:471)
at org.python.core.PyFunction.__call__(PyFunction.java:466)
at org.python.pycode._pyx5.__init__$19(/Users/[REDACTED]/Documents/aws-extender/aws_extender.py:325)
at org.python.pycode._pyx5.call_function(/Users/[REDACTED]/Documents/aws-extender/aws_extender.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:223)
at org.python.core.Deriveds.dispatch__init__(Deriveds.java:19)
at org.python.core.PyObjectDerived.dispatch__init__(PyObjectDerived.java:1112)
at org.python.core.PyType.type___call__(PyType.java:1713)
at org.python.core.PyType.__call__(PyType.java:1696)
at org.python.core.PyObject.__call__(PyObject.java:496)
at org.python.core.PyObject.__call__(PyObject.java:500)
at org.python.pycode._pyx5.doPassiveScan$15(/Users/[REDACTED]/Documents/aws-extender/aws_extender.py:263)
at org.python.pycode._pyx5.call_function(/Users/[REDACTED]/Documents/aws-extender/aws_extender.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:218)
at org.python.core.PyMethod.__call__(PyMethod.java:213)
at org.python.core.PyObject._jcallexc(PyObject.java:3626)
at org.python.core.PyObject._jcall(PyObject.java:3658)
at org.python.proxies.__main__$BurpExtender$8.doPassiveScan(Unknown Source)
at burp.k3c.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)

Bucket modifications not removed

All of the write permission checks modify the bucket and do not unmodify it. This results in many bucket configurations being changed and overwritten. This makes this extension unusable as it will destroy any buckets scanned that have public write permissions.

aws-extender/aws_extender.py

Line 471 in 1451512

self.boto3_client.put_bucket_cors(

Shows Listable Bucket but access denied

Hi Guys,

I have a bucket that has been listed as being able to read the listings.

Screen_Shot_2017-12-12_at_21.17.13.png

But when i try list the directory it says access denied.

root@robbie:~# aws s3 ls s3://coursera_assets

A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied

Show Bucket Region

Hi Guys,

In the report is it possible to show the region the bucket is in as it should be easy to do as it's generally look the cname to find the region.

Blacklist: User input buckets not to show [Feature Request]

Hey Guys,

sometimes when you are hitting a massive scope test you tend to come up with lots of the same bucket that you might of already reported.

I was thinkinging of having an option where you could input bucket names and it stops it showing up so you do not get over excited when you see it flag up a misconfigured bucket and its one you've already put in your report.

normally you would set a site with the bucket outside your scope but sometimes the bucket is used across multiple targets.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.