Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. AWS S3

Misconfigured List Permissions

PreviousAWS S3NextCloudflare R2

Last updated 7 months ago

Was this helpful?

Description:

AWS S3 (Simple Storage Service) buckets are a popular storage service used by software companies and organizations to store public as well as sensitive data.

Because AWS S3 can be used to store sensitive data, AWS allows developers to set up permissions for individual buckets and objects.

These permissions (or Access Control Lists) are sometimes overly permissive and allow unauthorized users to view more data than allowed.

Testing:

You can make use of search syntaxis supported by major search engines like Google to find AWS S3 buckets belonging to your target company or organization:

site:.s3.amazonaws.com "company"

You can use the official AWS CLI to test for misconfigured list permissions using the s3 subcommand:

$ aws s3 ls s3://{BUCKET_NAME} --no-sign-request

The output of an AWS S3 bucket with misconfigured list permissions:

2024-08-31    09:00:00         1337 index.html
                                PRE downloads/
2024-08-31    09:00:00         1337 archive.zip

The output of a secured AWS S3 bucket:


An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

Before reporting a potential security misconfiguration, always verify the owner of the bucket and the impact of the vulnerability! Some AWS S3 buckets are meant to be public, some may not even belong to your target!

Remediation:

To secure your AWS S3 buckets, signin to your AWS Management Console and follow the steps below:

  1. Open your bucket that you'd like to secure or verify access controls for

  2. Open the Permissions tab, and click on Edit under the Block public access (bucket settings) section

  1. Next, verify that all public access is blocked (or ensure only the desired settings are enabled)

  2. Save your changes

  1. Go back to the Permissions tab and scroll down to the Bucket policy section

  2. Ensure that you do not have any unwanted policies listed

  3. Additionally, verify that Block all public access is enabled (a green checkmark must appear next to it)

If your Access Control Lists take precedence over your Bucket Policies, make sure to verify your Access Control Lists as well!

Potential Impact:

A misconfigured AWS S3 bucket can often introduce security risks, data leaks, or other unintended consequences. Especially if the storage bucket is used for storing sensitive data (such as backups, receipts, invoices, etc.).

References:

Once signed in, navigate to your

Amazon S3 dashboard
https://blog.intigriti.com/hacking-tools/hacking-misconfigured-aws-s3-buckets-a-complete-guide
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
https://aws.amazon.com/cli/