My $20,000 S3 bug that leaked everyone’s attachments - S3 bucket misconfig of pre-signed URLs

Рет қаралды 22,597

Күн бұрын

📧 Subscribe to BBRE Premium: bbre.dev/premium
✉️ Sign up for the mailing list: bbre.dev/nl
📣 Follow me on Twitter: bbre.dev/tw
This video is an explanation of a $20,000 vulnerability in S3 integration that I discovered in a private bug bounty program.
The ‪@criticalthinkingpodcast‬ episode with Alex Champan: • Alex Chapman: How to B...
The video from 2021: • How not to implement A...
🖥 Get $100 in credits for Digital Ocean: bbre.dev/do
Timestamps:
00:00 Intro
00:28 How did I approach my target?
01:50 How do S3 pre-signed URLs work?
04:36 The vulnerability
06:50 Escalating the impact

Пікірлер: 82

@BugBountyReportsExplained 10 ай бұрын

I hoped you enjoyed the video! If you want to learn even more with me, go to bbre.dev/premium

@criticalthinkingpodcast 10 ай бұрын

Thanks for the shout-out and congrats on the great bug!

@BugBountyReportsExplained 9 ай бұрын

Thanks for the great podcast!

@renganathanofficial 9 ай бұрын

This is an amazing finding, congrats mate!

@animeshacharya7803 10 ай бұрын

Great video! Congrats on the bounty :)

@sven5666 9 ай бұрын

Great explanation. Last third of the video was really valuable and very well explained.

@FrankTranDesign 10 ай бұрын

Thank you for this content--it's so eloquent!

@rafajanicki2456 10 ай бұрын

Awesome finding Grzegorz, congratulations :) Thank you for sharing all the details as well!

@BugBountyReportsExplained 10 ай бұрын

Dzięki!

@fabiothebest89lu 5 ай бұрын

Nice video, thanks and congrats for the bounty

@skytest1247 10 ай бұрын

clean and clever! I already guessed what you got after reading your bounty tweet! congrats

@BugBountyReportsExplained 10 ай бұрын

Nice!😏

@yuvraj6279 10 ай бұрын

Nice find thanks for sharing bro

@bertrandfossung1216 10 ай бұрын

Congratulations on your bounty. You did great

@_bergee_ 9 ай бұрын

Gratulacje!!!! Ja ostatnio zrobiłem trochę wakacji w BB, ale jesienią mam zamiar powrócić do tematu.

@BugBountyReportsExplained 9 ай бұрын

Dzięki! Wracaj, wracaj😏

@AnkitSingh-gi5zw 10 ай бұрын

Congratulations Greg!

@edavidwaner2187 9 ай бұрын

hey bro thanks for sharing this video now i have one more thing to spend more time in applications😅 do not stop ❤

@inderjeetsingh1340 10 ай бұрын

Nice finding!! 🎉

@Lainad27 9 ай бұрын

Well done!

@user-ok9gj1mz3m 10 ай бұрын

Congratulations!🎉

@kevinwydler7305 9 ай бұрын

Congrats on the bounty!

@michalk7802 9 ай бұрын

cool, congrats. nice video all the best!

@vz7742 9 ай бұрын

Congrats mate,you just got a new sub ;)

@user-mo8uj9vq5u 7 ай бұрын

Love your channel bro

@duskb1t 9 ай бұрын

Congratulations. This was a really interesting video. Btw, I would recommend that you fix the audio ups and downs between your face cam and the presentation.

@ClashWithHuzefa 9 ай бұрын

Congrats for the bounty bro

@albertcorzo 9 ай бұрын

Awesome information

@camelotenglishtuition6394 9 ай бұрын

Well done dude

@hptech7052 10 ай бұрын

Damnn! Congrats:)

@souraldandothi5681 6 ай бұрын

well explained!

@stanlyoncm 9 ай бұрын

I can feel that excitement, I feel the same when I catch a big fish!

@dominicksavio1221 10 ай бұрын

Congratulations nice bug❤

@budhiridholmahfudz5806 9 ай бұрын

Awsome sir👍

@zbyszggo4626 10 ай бұрын

Dobra robota mordo :)

@BugBountyReportsExplained 10 ай бұрын

Dzięki!

@DEADCODE_ 10 ай бұрын

great Bud

@Zizo8182 10 ай бұрын

thanks for sharing

@Blank_Chy 9 ай бұрын

god awesome, 8:50 I've been learning about bug bounty and learning basic webs develop and sql, python 2023 since early this year, but I'm still confused about how to report low impact vulnerability methods. for the beginners bug bounty Do you have any suggestions for me?

@user-wm5nx2qx4v 9 ай бұрын

Amazing bug!

@monKeman495 10 ай бұрын

Finally this video happened found that pre signed urls very interesting max expiring of sharable object 12hr or 7days ? thank you for sharing

@BugBountyReportsExplained 10 ай бұрын

I didn't actually pay attention to the expiry of the signature

@papkonstantinos6757 9 ай бұрын

Congratulations

@mohittirkey7889 5 ай бұрын

Amazing video. Thank You for the details. Quick question , when you provided the path of the directory in the filename (../) , didnt the application perform any check for the file extension ?

@BugBountyReportsExplained 4 ай бұрын

Nope, there was no check

@ashiqurrahman275 9 ай бұрын

Thanks

@user-fo1ve2pt5q 8 ай бұрын

The third step you gave another account name was in the intercept (Burp) or by inspecting the elements tab in browser?

@a_al_Jahin 7 ай бұрын

Greatt and also thanks a lottt for the video....Can you please provide the aws s3 param list's pdf file you showed in the video...?

@DeepakKumar-ym1wr 10 ай бұрын

Congrats keep it keep uploading videos

@amrelganainy0 10 ай бұрын

Amazing

@MaxMode84 9 ай бұрын

Mądry gość.

@SirMarthes 10 ай бұрын

Nice finding! Pozdrowienia od mateuszka z h1 :)

@BugBountyReportsExplained 10 ай бұрын

kojarzę z niejednego leaderborda ;) mam nadzieję że spotkamy się na jakiejś konfie

@thatbassplayercam 6 ай бұрын

Great video! I'm interested to know how you replicated the vulnerable server code. Would you be able to share?

@BugBountyReportsExplained 6 ай бұрын

I asked chatgpt how this functionality can be implemented in my target's technology and then asked it to build a small webapp around it

@dhirajsoren8428 10 ай бұрын

Cool bug

@ctfs09 9 ай бұрын

If you could list the the bucket with ../ as file name, bucket seems public, did you try to list the bucket through aws-cli?

@BugBountyReportsExplained 8 ай бұрын

yes, I think I have

@nguyenquockhanh3920 5 ай бұрын

At paragraph 8:00, I see you mentioned changing the max-key to list all filenames, folders,... But somehow, I tried adding the max-keys parameter and got an error: "The request signature we calculated does not match the signature you provided. Check your key and signing method." Please tell me how to list all filenames and folders using max-keys. Thanks

@BugBountyReportsExplained 5 ай бұрын

Max-keys is only used to control how many elements should be listed

@nguyenquockhanh3920 5 ай бұрын

@@BugBountyReportsExplained But the default pre-signed URLs method will list a maximum of 1000. How can you list more as you mentioned in the video? Add any param or any tricks.....

@BugBountyReportsExplained 5 ай бұрын

@@nguyenquockhanh3920try adding the param before you sign the URL

@nguyenquockhanh3920 5 ай бұрын

@@BugBountyReportsExplained In the case of your report, how did you do it? Have you also tried adding this param before it signs and was it successful?

@jomynn 5 ай бұрын

Where are your report the bug to target website or Amazon?

@BugBountyReportsExplained 5 ай бұрын

target, Amazon did nothing wrong here

@raihanhossain3423 10 ай бұрын

What microphone you are using?

@BugBountyReportsExplained 10 ай бұрын

Rode NT-USB

@tomsawyer6247 8 ай бұрын

the fact that they use direct links to images to S3 should be a red flag - GET from S3 is expensive and AFAIK can't handle big scale

@whateveritis0 9 ай бұрын

🎉

@__CJ.__ 8 ай бұрын

❤

@expert2570 9 ай бұрын

But it didn't expire after 3600 seconds? due to X-Amz-Expires parameter?

@BugBountyReportsExplained 9 ай бұрын

it does but why would that be a problem?

@aqwerzerd 9 ай бұрын

need that pdf at 7:51 thank you

@BugBountyReportsExplained 9 ай бұрын

awsdocs.s3.amazonaws.com/S3/latest/s3-qrc.pdf

@crlfff 3 ай бұрын

4:13

@flashithackerone 5 ай бұрын

@BugBountyReportsExplained Hi bro. Congrats on your bounty!. I have one Small request. When you try to explain a vulnerability with multiple accounts of a program, Please use terms like Account A and Account B instead of using my account and another account. It would be very understandable. Rest you are doing amazing. Thanks for the Knowledge sharing!

@BugBountyReportsExplained 5 ай бұрын

Do you want to say you had a problem with understanding this server-side path traversal bug just because I used the terms my account and victim's account instead of account A and B?🤔

@flashithackerone 5 ай бұрын

@@BugBountyReportsExplained Yes. But not for myself. Some of my friends are also learning from your channel. I cleared a doubt for them this time. it's their request.

@forxstsombodi3043 10 ай бұрын

Like the video, thanks for sharing. The audio levels are a bit weird. seems like when you toggle between screenshare and face cam there's some difference in the audio. Kinda jumpscared me.

@BugBountyReportsExplained 10 ай бұрын

Yep, sorry for scarring you! I didn't normalise the audio level across different clips and I uploaded it just before leaving and didn't have time to fix