Hello all,

I am get to know that many of you are not aware about this Vulnerability.

But this Vulnerability is quite good to get huge amount of bounty.

I am writing this write-up to explain it in detail.

Step -1 : Find open S3 bucket of any website.

There are mainly 2 methods to find it :

Method-1 :-

• Enumerate subdomains using “https://github.com/Parshwa218/Domania” .
• This tool can enumerate all live subdomains in alphabetical order and if there is any open bucket listed in server it will list it in the list of subdomains.

Method-2 :-

• Use following tool for advance enumeration of bucket.
• “https://digi.ninja/projects/bucket_finder.php”
• This tool will help you to enumerate on advance basis .

Step-2 :- Open the Bucket URL in your browser and see if any type of Security key is leaking.

• In my case , there is 2 Security authentication key was leaking.
• Now , to find that this bucket is publicly writable ,You have to install in AWS cli in your system.
• After Aws CLI successfully installed,You have to configure it using that public key which was leaking in the browser.

Step-3 :- Exploitation

• Now to exploit it create a temporary txt file e.g. test.txt
• Try to upload it on the browser using following command :

“ aws s3 ls s3://bucket-name”

• This will list out all the public and private on the bucket.

“aws s3 mv test.txt s3://bucket-name”

• This will upload your test.txt file in the server.

“aws s3 rm s3://bucket-name/test.txt”

• This will delete test.txt file .

That’s how you can exploit Amazon S3 bucket takeover Vulnerability.

References : https://youtu.be/3aycI8vPLEU