S3 Bucket Sub-Domain Takeover

How I Takeover S3 Bucket Sub-Domain

What is Sub-domain takeover?

Subdomain takeover is a security vulnerability that occurs when the domain owner has no controls over subdomain which is pointing toward the service. If the service associated with the subdomain is discontinued or the domain ownership lapses, an attacker can take over the subdomain and use it for malicious purposes.

 

What is S3 bucket?

S3 - Amazon Simple Storage Service (Amazon S3) is an object storage service that has ability to store any amount of data and can be access from anywhere over the internet.

Bucket - Buckets are the place where data is stored and access when needed.

 

Lets start :-

During the pentesting of the API, I discovered that while we upload any data or file, it stored in the S3 bucket and bucket name is reflecting in the HTTP response. I thought what if ? there are more S3 bucket. After some thought I started enumerating the bucket and bingo I have found one more S3 bucket which is publicly available. 

To enumerate the s3 bucket I used s3recon tool available on Github. There are other tools as well, you may use any of them.

When I access the S3 bucket in the browser and found below error message

 

 

The above error message “NoSuchBucket” shows that, developer created a bucket and hosted it publicly, once the purpose done he deleted it but forgot to delete CNAME records from ROUTE53.

To double check I run the dig command against the S3 bucket name.

After the confirmation, I login into my AWS account and created a bucket with same name and make it public.

 

  Now, it's time to create an HTML page and uploaded it into the bucket.

 

 After that, I created a bucket policy to access the uploaded HTML page from the internet.

 

 Once all S3 bucket configurations are completed, tried to access the HTML page.

 

Recommendation

• Remove the CNAME or DNS record once the S3 bucket is deleted.