Subdomain Takeover via Unsecured S3 Bucket Connected to the Website

Hey Guys,

 

So This Blog is Basically About an issue i found in a web where a missing file and an Unsecured S3 Bucket connected to that website gave me a way to takeover that subdomain without a Subdomain Takeover Vulnerability, So Let’s begin

 

So I was testing a private program when i came across a Subdomain on the website that was giving a “404 Not found Error” But another Part of The Error was also telling something that was “Code:NoSuchKey” and the Key was “Key:_redirect.html”

 

Now As Most of You guys already know that Every 404 Error does not mean that the subdomain is vulnerable to subdomain takeover and in this case the Issue was that a File Named _redirect.html was missing on the website but seeing the particular Error and the site info i was sure that the site is running on Amazon Service which means that the content for this website should be on an S3 Bucket So I used the subdomain as the Name of the S3 Bucket and got this as a response

 

Now This Error Showed me that the Website is Indeed Connected to an S3 Bucket that is secured and doesn’t allow listing files on the bucket, But what about AWS Cli Sometimes Buckets that gives Access Denied Error on the web page are still accessible via AWS Cli so i tried the command

 

root@kali:~# aws s3 ls s3://sl.target.com/
An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

 

 

But unfortunately this didn’t work and i wasn’t able to see files on the bucket but what about Copying/Uploading a File to this S3 Bucket? so I ran the command

root@kali:~# aws s3 cp Hacked.txt s3://sl.target.com/
upload: ./Hacked.txt to s3://sl.target.com/Hacked.txt  

And BOOM!! 💥 Now i have Access to Bucket via Cli and i was able to upload any file i want to upload to the website via this s3 Bucket

 

Bug:

Now the issue was simple i found an S3 Bucket that didn’t have a proper policy set so anyone with access to aws cli can upload a file to the bucket.

But what else an attacker can do? So Now as You know from starting there was a file _redirect.html was missing on the bucket that was set as index to that subdomain. So I created a File named _redirect.html and uploaded the file to the bucket via cli but now the error on bucket and the subdomain was changed to Access Denied 🤦‍♂️

 

root@kali:~# aws s3 cp _redirect.html s3://sl.target.com/
upload: ./Hacked.txt to s3://sl.target.com/_redirect.html

 

Issue:

I was able to find the s3 bucket connected with the website that provide content to the website and the bucket was insecure and had not properly configured so anyone with access to aws cli can upload, delete files from the bucket. But Uploading a File simply uploaded but due to default behaviour of the current policy the files are not accessible 😒

I was Confused what i should do now. So I decided to read AWS Cli documentations to learn about it more and after a few web pages i was able to find a solution to the issue

Uploading Files again and granting permission to files:

So I uploaded the files again to the bucket but this time i grant the read access to the files i uploaded and grant read access to AllUsers by command

root@kali:~# aws s3 cp _redirect.html s3://sl.target.com/ –grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
upload: ./_redirect.html to s3://sl.target.com/_redirect.html

 

 

After Uploading this File to the Bucket and granting Read Permission to AllUsers to this File I went to the subdomain itself and this time The Error was Gone on the Subdomain and My file _redirect.html was executed as Index

 

 

So That’s all i did to takeover a subdomain without an actual subdomain takeover vulnerability but instead with an insecure bucket connected to the subdomain

 

Thanks For Reading  💖

About the Author

Muhammad Khizer Javed

Ethical Hacker, Bug Bounty Hunter/ Pentester & Gamer

3 thoughts on “Subdomain Takeover via Unsecured S3 Bucket Connected to the Website

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: