‎ y:Mahmoud ibrahim

B
‎
‎follow me :
‎
‎follow me :  ‎Linkedin :link: https://www.linkedin.com/in/

‎mahmoud-ibrahim-9b5364244
‎
‎github:https://github.com/Az0x7

‎ - Deserialization attacks, or insecure

‎- Definition
‎deserialization, is the exploitation of

‎ lass myClass
c
‎{
‎ public $name = "demo";
‎ function __construct()
‎ {
‎ #...some PHP code...#
‎- example ‎ - php ‎ }
‎}
‎print serialize(new myClass this script will
‎serialize the PHP
‎
‎class to the following string:
‎Chapter 1: Deserialization Attacks ‎O:7:"myClass":1{s:4:"name";s:4:"demo";}

I‎nsecure deserialization refers to a

‎ ome authorization servers allow clients to
S
‎ o test this, we can change the redirect_uri
T ‎deserialization process in
‎register redirect URI (Uniform Resource
‎parameter to direct the user to our ‎
‎Identifier) patterns, so that when the ‎Insufficient Redirect URI Validation
‎malicious server, similarly to in an open ‎which the serialized string is converted back
‎application starts the OAuth flow, it will direct
‎redirect attack. ‎to its original
‎the user to the endpoint of the URI service.
‎ - Defintion ‎
‎object in memory by using untrusted user
‎ Cross-Site Request Forgery (CSRF) attack
A
‎inputs. With insufficient input validation, this
‎against the client’s redirect URI allows
‎can lead to logic
‎an attacker to inject their own authorization
‎
‎code or access token, which can result
‎Cross-Site Request Forgery OAuth Client ‎manipulation or arbitrary code execution
‎in the client using an access token
‎associated with the attacker’s protected
1‎ . Abusing an application’s logic operation
‎resources ‎- Insecure deserialization ‎that relies on serialized
‎rather than the victim’s.
‎
‎ hapter 10: Attacking OAuth 2.0
C ‎objects (i.e.,purchase action)
I‎n some OAuth providers’ implementation, it
‎Flows ‎2. Accepting user-supplied serialized objects
‎is possible to execute a CSRF attack
‎in the cookies to
‎against the authorization server to gain an ‎ ross-Site Request Forgery Authorization
C
‎
‎access token with arbitrary scope from ‎Server
‎identify a user
‎any provider-based application where a
‎3. Using serialized objects as API
‎victim is logged in. ‎ - Some common attack
‎authentication tokens
‎4. Transferring user data via Streams,
‎ hen an OAuth 2.0 based-app issues an
W
‎WebSockets or WebRTC
‎access token to a client application to access
‎
‎a resource on behalf of the resource owner (
‎channels
‎“the user”), it should be a properly scoped
‎5. Executing serialized objects as inputs to
‎access token, so that there are no
‎execute commands in
‎overlapping scopes across any of the
‎Access Token Scope Abuse ‎
‎resource
‎the file system
‎servers (e.g., API endpoints). Therefore,
‎when requesting access to that particular
‎resource server and accepting a token, the
‎application should check whether the ‎ ype juggling attacks occur in a few
T
‎token is issued with a scope known to it. ‎languages, but they particularly target PHP,
‎because it has two types of comparisons:
‎Strict (===, !==) and Loose (==, !=).
‎In a strict comparison, the expression 1 === 1
‎ he SAML message is based on user-
T
‎means that the value and type of both
‎provided XML that is processed by the SP.
‎values are the same. In contrast, in a loose
‎This means that common XML attack vectors
‎comparison, the expression 1 == 1 (with
‎like XXE are frequently applicable ‎- Definition
‎only two equals signs instead of three)
‎through SAML messages. The presence of
‎XML External Entity (XXE) via SAML Assertion ‎means that the first value could be
‎this behavior is quite low, and it’s not
‎interpreted
‎always exploitable. SAML IdP and SP are
‎either as an integer or as 1 (true) in Boolean.
‎generally very configurable, so there’s a
‎This built-in feature of PHP language
‎lot of room for increasing or decreasing the
‎forces variables or values to be converted
‎impact
‎into specific data types before comparing
‎them.
‎ s the SAML message contains a signature,
A
‎we can first attempt to try to forge a well
‎ s first glance, we can see that the
A
‎formed SAML message without signing. To
‎Signature Stripping ‎application loads different files (which we
‎do this, we need to remove any current
‎don’t
‎signatures by removing all signature
‎have read access to in our customer
‎elements from the original SAML Response
‎environment), and then compares the POST
‎request values of $adminName and $
‎ he SAML contains signatures signed by a
T
‎adminPassword against the database values.
‎real certification authority (CA). However,
‎ et’s say that during an engagement, we’ve
L ‎Because the comparison uses two (rather
‎if the server doesn’t check if the certificate is
‎Tamper with Self-Signed Signature ‎found a PHP-based application that has ‎than three) equals signs, we can spot that
‎self-signed, you may be able to use your
‎its source code published on GitHub. The ‎the application uses a loose comparison to
‎own self-signed certificate to replace the
‎authentication code has a similar logic to ‎compare between the values (which are
‎signing of the SAML Response.
‎the following: ‎probably strings).
‎require_once(“../../db.php”); ‎In order to bypass the authentication, we
‎ he list of XML Signature Wrapping (XSW)
T
‎require_once(“../../server_secrets.php”); ‎need to compare the original value from
‎tests are as follows:
‎$json_params = file_get_contents("php:// ‎the database (which is defined as a string) to
‎input"); ‎another string (see the previous chart
1‎ . XSW1 – Applies to SAML Response
‎$adminName = $json_params[‘user’]; ‎of loose comparisons). So, our bypass
‎messages. Add a cloned unsigned copy of
‎Chapter 2: Type Juggling Attacks ‎$adminPassword = $json_params[‘password’]; ‎request will look something like this:
‎the Response after the existing signature.
‎if ($db['username'] == $adminName && $db[' ‎POST /login.php HTTP/1.1
‎password'] == $adminPassword) ‎Hostname: vuln.lab
‎ . XSW2 – Applies to SAML Response
2 ‎{ ‎Content-type: application/json
‎messages. Add a cloned unsigned copy of ‎ $admin = true; ‎{“user”: 1, “password”: 1}
‎the Response before the existing ‎} else { ‎In this case, when the PHP code performs its
‎ hapter 9: Attacking SAML
C
‎ $admin = false; ‎loose comparison between the given
‎ . XSW3 – Applies to SAML Assertion
3 ‎Flows ‎} ‎string and our JSON parameters as integers,
‎messages. Add a cloned unsigned copy of ‎it will return true—which allows us to
‎the Assertion before the existing Assertion. ‎bypass the authentication without providing
‎a valid username or password.
‎ . XSW4 – Applies to SAML Assertion
4 ‎That being said, it should be noted that HTTP
‎messages. Add a cloned unsigned copy of ‎parameters are always treated as
‎the Assertion after the existing Assertion. ‎strings, never as other types (e.g., inputs
‎from JSON and PHP objects)
‎XML Signature Wrapping (XSW) Attacks
‎ . XSW5 – Applies to SAML Assertion
5
‎messages. Change a value in the signed ‎ hen comparing a string to a number in a
W
‎copy of the Assertion and adds a copy of the ‎loose comparison, PHP will attempt to
‎original Assertion with the signature removed ‎first convert the string to a number and then
‎at the end of the SAML message. ‎perform a numeric comparison. For
‎example, the following comparisons would
‎ . XSW6 – Applies to SAML Assertion
6 ‎all return true:
‎messages. Change a value in the signed ‎"0000" == int(0)
‎copy of the Assertion and adds a copy of the ‎"0e12" == int(0)
‎original Assertion with the signature removed ‎"1abc" == int(1)
‎after the original signature. ‎"0abc" == int(0)
‎"abc" == int(0)
‎ . XSW7 – Applies to SAML Assertion
7 ‎Type juggling example explained ‎Special cases with type juggling
‎messages. Add an “Extensions” block with a ‎ nother common case is that, when both
A
‎cloned unsigned assertion. ‎values resemble numbers—even if they are
‎actually strings—PHP will convert them both
‎ . XSW8 – Applies to SAML Assertion
8 ‎into integers and perform a numeric
‎messages. Add an “Object” block containing ‎comparison. So, the following examples also
‎a copy of the original assertion with the ‎all return true:
‎signature removed. ‎"0e12345" == "0e54321"
‎"0e12345" <= "1"
‎ o test this vulnerability, we can insert a
T ‎"0e12345" == "0"
‎Comment Truncation Vulnerability ‎"0xF" == "15"
‎comment inside the username in our SAML

‎ or example, consider the following PHP code:

F
‎
J‎ WTs have a really simple format. They are ‎$hash = $_COOKIE[‘auth_cookie’];
‎divided into three parts: header, payload, ‎$username = $_COOKIE[‘username’];
‎and signature, separated by periods (.), and ‎$timestamp = time();
‎then encoded into base64. Let’s look at ‎$md5_hash = md5($username . '|' . $timestamp);
‎the parts of a JWT using a sample JWT from ‎if ($md5_hash != $hash) {
‎the jwt.io website ‎// bad cookie
‎JWT Format 101
‎}
‎ his JWT consists of the following parts:
T ‎If we logged into the application as a normal
‎• Header - eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 ‎user, we could see that our hash looks
‎• Payload - eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4... ‎ hen PHP interprets a string as an integer, it
W
‎something like this:
‎• Signature - SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c ‎converts it to PHP exponential notation.
‎596440eae1a63306035942fe604ed854
‎For example, 0e02342623422412516789
‎So, to bypass this check, we could make the
‎ he signature algorithm ensures that the JWT
T ‎and 0e2342623422412516789 both loosely
‎final calculated hash string zero-like, and
‎is not modified by malicious users dur- ‎compare to int(0).
‎provide a “0” in the cookie. For example:
‎ing transmission. That being said, some JWT ‎If the number after the first letter is 0, it will
‎“Zero-like” type juggling ‎"0e768261251903820937390661668547" == "0"
‎libraries support the none algorithm— ‎remove the leading zero.
‎Modify Signature Algorithm ‎Therefore, by writing a script that creates a list
‎i.e., no signature at all—so when the ‎A practical use of this exploitation might be
‎of hashes by incrementally changing
‎algorithm value in the header is set to none, ‎where an application uses hash
‎the expiration timestamp enough times, we
‎the backend will not perform signature ‎comparing, specifically with MD5 hash types,
‎would eventually get a zero-like calcu-
‎verification. ‎which are vulnerable to “zero-like”
‎lated Hash-based message authentication
‎cases.
‎code (HMAC) . For example:
I‎n some older versions of certain JWT ‎md5(admin|1835970773) -> "
‎libraries, it’s possible to switch the cipher ‎0e174892301580325162390102935332"
‎algorithm between asymmetric, based on ‎Which makes the following comparison equal
‎RSA and ECDSA (RS256), which use a ‎true:
‎private key to sign the message and a public ‎“0e174892301580325162390102935332” == “0”
‎key for authentication, to HMAC ‎Although these types of vulnerabilities are easy
‎(HS256), which uses the same key for signing ‎to find, they are quite difficult to
‎and verifying ‎ hapter 8: Attacking JSON Web
C ‎exploit, as HTTP request parameters are usually
‎Change Cipher Algorithm
‎Tokens (JWT) ‎treated as strings. Nevertheless, you
‎ y changing the algorithm from RS256 to
B ‎can still trigger PHP juggling to bypass them.
‎HS256, the backend will use the public key
‎as the secret key and the same algorithm to
‎verify the signature. Because the public
‎key is not secret at all, we can correctly sign ‎ QL injection is a classic code injection
S
‎such messages ‎technique used in web hacking to steal data
‎and compromise database servers through
‎ here are several tools that can brute force
T ‎the unsafe use of user input
‎the HS256 signature on a JWT:
‎ oSQL injection allows attackers to take
N
1‎ . https://github.com/brendan-rius/c-jwt- ‎control of database
‎cracker ‎queries. Although NoSQL databases (
‎Cracking the JWT Secret
‎Web Application ‎NoSQL injection fundamentals
‎MongoDB, CouchDB, Redis, etc.) provide
‎looser
‎2. https://github.com/ticarpi/jwt_tool
‎ ‎consistency restrictions than traditional SQL
‎databases (MySQL, MariaDB, Oracle,
‎ ttps://github.com/magnumripper/
h
‎Crack with JohnTheRipper (JTR)
‎Advanced Hacking
‎etc.)
‎JohnTheRipper

‎ ip
T ‎ oSQL databases provide APIs in a variety of
N
‎During an assessment, it’s always ‎languages with various relationship
‎recommended to check the sen- ‎models, which each offer different features
‎sitive information that may be stored inside ‎and restrictions
‎the JWT, as it is just
‎base64-encoded data and thus very easy to ‎ or example, the equivalent of the
F
‎ oSQL databases such as MongoDB don’t
N
‎decode. Also note that ‎previously illustrated query for a NoSQL MongoDB JSON
‎use traditional SQL syntax; however, they
‎it’s possible to automate these tests using the ‎array database is shown
‎are still potentially vulnerable to injection
‎JWT_Tool from GitHub: ‎below:
‎attacks
‎https://github.com/ticarpi/jwt_tool ‎db.users.find({username: '<USER>', password: '<PWD>'});

I‎n order to test if the login is vulnerable to

‎NoSQL injection, we can supply a JSON
‎ he HTTP host header field sent in a request
T ‎input object as follows:
‎provides the host and port information ‎POST /login HTTP/1.1
‎from the target server, enabling the origin ‎Host: vuln.lab
‎server to tell the webserver which virtual ‎MongoDB NoSQL injection explained ‎ et’s say that our app sends a JSON request
L ‎Content-Type: application/json
‎Host header Poisoning
‎host to use. In web applications, developers ‎during the login process: ‎{“username”: “admin”,”password”: {‘$gt’: “”}}
‎tend to trust the HTTP host header value, ‎POST /login HTTP/1.1
‎and use it to generate links and import ‎Host: vuln.lab I‎n cases where the application doesn’t use
‎resources. ‎Content-Type: application/json ‎JSON as input, it’s still possible to inject an
‎{“username”: “admin”,”password”: “mypass”} ‎input object by passing an array object in the
‎Discover Customer’s Two-Factor Code ‎parameters request, as shown below:
‎Sensitive Data Exposure ‎POST /login HTTP/1.1
‎Leaking Credit Card Details ‎Chapter 3: NoSQL Databases ‎Host: vuln.lab
‎Testing MongoDB NoSQL injections ‎Content-Type: application/x-www-form-
‎ ip
T ‎urlencoded
‎In order to exploit this automatically and ‎user=admin&password[$ne]=
‎save time, I use a directory of pre-
‎Mass Assignment
‎defined parameters and use Burp Intruder I‎f you’re keen to try some more variations of
‎instead of “manually guessing” ‎these NoSQL injections, I highly ‎payload 
‎fields. ‎recommend that you test it with some more
‎advanced payloads such as those GitHub ‎payload 
r‎ eplay attacks are attacks in which a valid ‎projects:
‎data transmission
‎reuses an old session ID that has no set ‎ ouchDB is a NoSQL database written in
C
‎expiration time, or session data stored ‎Erlang. It uses JSON to store data and
‎in an unencrypted form. A common use-case ‎JavaScript as a query language, similarly to
‎is when an attacker carries out an ‎replay attacks ‎MongoDB. By default, CouchDB listens
‎attack against an authenticated interface by ‎to port 5984/TCP using a service called
‎re-transmission of an invalidated session ‎CouchDB HTTP API to allow command
‎request to impersonate an authorized user ‎execution and database operations. In this
‎and perform fraudulent transactions or ‎section, we will focus on different
‎activities. ‎techniques used to pentest CouchDB, along
‎with some common vulnerabilities (CVE-
‎ TTP response splitting attacks (also known
H ‎2017-12635 and CVE-2017-12636) that have
‎as CRLF Injection attacks) ‎been used in the wild in the last few years
‎Chapter 7: Application Logic
‎occur when the web server answers back ‎in cryptocurrency mining attacks.
‎with a response based on direct passing
‎of user entered data to the response header ‎ he first step during our engagement is to
T
‎fields (like Location, Set-Cookie, etc.) ‎enumerate the target and look for the
‎without proper sanitation, and separated by a ‎HTTP Response Splitting ‎CouchDB default port state. If we run a SYN
‎specific combination of special ‎scan using Nmap, we should get a
‎characters, namely a carriage return (CR; i. ‎similar result to this:
‎Attacking CouchDB interfaces
‎e., %0d or \r) and a line feed (LF; i.e., ‎PORT STATE SERVICE REASON
‎%0a or \n). This tricks the server into thinking ‎5984/tcp open unknown syn-ack
‎that a request has been terminated ‎Manually testing CouchDB endpoints
‎and another request has started.
‎ ip
T
‎Another way to access to the database is via
I‎n recent years, the rise of DOM (Document
‎the web interface,
‎Object Model) clobbering for real-world
‎https://X.X.X.X:5984/_utils/
‎exploitations of well-known browser issues
‎has continually caused trouble for many
‎ ne of the features of CouchDB is the ability
O
‎applications, as well as being used in CTFs (
‎to create a replicate operation in the
‎capture the flags) and bug bounties. But
‎DOM Clobbering ‎background. Push and pull replication can be
‎what is DOM? In brief, it’s a legacy feature of
‎SSRF via CouchDB replicate function ‎used to replicate data to or from the
‎web browsers that allows JavaScript
‎remote CouchDB instance, respectively. For
‎code running in the browser to access and
‎example, to replicate data from a remote
‎manipulate a tree-based representation of
‎database to a local database
‎the document, initially built by parsing the
‎HTML of the page and structuring it.

I‎n many web applications, developers need ‎ raphQL was developed by Facebook in
G
‎Bypass Transfer Money Limit ‎to create custom solutions to handle ‎around 2012, and publicly released in 2015.
‎certain requirements of the business unit. For ‎It’s a specification for an open source data
‎example, in payment applications, ‎query language (DQL) and API engine
‎Borrow Money Without Return
‎there may be a need to ensure that services ‎with implementations in many languages.
‎Bypass Business Limit
‎are provided based on age thresholds, ‎GraphQL is just a client facing query
‎Get Better Yearly Rates
‎or to check that payments made by ‎language, not a backend database query
‎customers do not exceed their current ‎language (like MongoDB, MySQL, etc.). This
‎Discount Checkout Flaws ‎account ‎means that the client first interacts with the
‎balance. ‎GraphQL layer, which in turn interacts
‎with arbitrary code and ultimately ends up
‎talking to the database. The idea behind
‎GraphQL is that you don’t need to query
‎ erver-Side Request Forgery (SSRF)
S
‎multiple REST APIs and send multiple
‎vulnerabilities allow the trust relationship
‎requests to different endpoints on the API to
‎between vulnerable applications and the
‎query data from the backend database
‎backend system to be abused, giving an
‎like you do with GraphQL—you only need to
‎attacker access to internal resources that are
‎send one request to query the backend.
‎not intended to be exposed. This can
‎result in unauthorized access of sensitive
‎ he first step of GraphQL discovery is to
T
‎data, actions, and interfaces in the internal
‎search the interactive GraphQL endpoints
‎network, including internal DB admin or
‎that allow us to execute queries. First look
‎control panel interfaces. Usually, to find
‎for common GraphQL endpoint paths
‎this type of vulnerability, all we need is to
‎such as these:
‎tamper with URL-based interfaces such
‎/graphql/Chapter
‎as updating, fetching, and validating data
‎/graphql/console/
‎inputs (update image profile URL, update ‎Detect GraphQL endpoints
‎/graphql.php
‎remote URL resource, etc.).
‎/graphiql/
‎Chapter 4: API Hacking GraphQL ‎/graphiql.php
I‎f you don’t have Burp Pro edition or you
‎/api/grpahsql
‎don’t want to use the Python module,
‎/api/grpahsql/grpahsql.php
‎there’s a better tool that automates the
‎/api/<company>-grpahsql
‎process of finding and escalating SSRF-based ‎SSRF Exploitation with SSRFmap
‎/<company>-graphsql
‎vulnerabilities. You can download it from
‎GitHub here:
‎ fter discovering a GraphQL endpoint, the
A
‎https://github.com/swisskyrepo/SSRFmap
‎next step is to fully understand the
‎schema in order to know how to query it.
‎ ost cloud service providers (e.g., Amazon
M
‎Fortunately, GraphQL allows us to discover
‎AWS) give access to the internal metadata ‎Enumerate GraphQL schema
‎its schema by using its introspection system.
‎REST (Representational State Transfer) API,
‎With this system, we can receive
‎from where important configuration and
‎information about the server’s available
‎sensitive data can be extracted. This allows
‎queries, types, fields, and more.
‎the attack surface to be extended, so that
‎you can perform lateral attacks on other
‎ ip
T
‎services and instances within the cloud
‎Issuing the introspection query by hand and
‎environment. ‎Cloud-based SSRF ‎figuring everything out by
‎reading the response can be a painful and
‎ ou may find more accurate API endpoints in the following
Y
‎time-consuming task. I highly
‎GitHub
‎recommend downloading and installing (even
‎Project:
‎locally) this GraphQL-
‎https://github.com/cujanovic/SSRF-Testing/blob/master/
‎IDE project from GitHub (https://github.com/
‎cloud-
‎andev-software/graphql-
‎metadata.txt
‎ide), which will fetch everything
‎automatically and save you some time.
‎ imilarly to Blind SQL injection techniques,
S
‎you can escalate a successful XXE (XML
‎External Entity) attack on a target application
‎to access internal resources by creating ‎ loud storage provides a solution for storing
C
‎an external DTD (Document Type Definition) ‎SSRF Out-of-Band with XXE ‎static files such as photos, videos,
‎within the original XML request. Thus, ‎documents, and almost any other type of file
‎you’ll be able to make an additional request ‎or asset. Instead of organizing files in a
‎to local resources and read the contents ‎Chapter 6: Server-Side Request Forgery ‎hierarchical directory, object storage systems
‎of the local files. ‎organize files in such a way that each
‎file is called an object, and any number of
I‎n Local File Inclusion (LFI) attacks, the ‎objects can be uploaded to the storage.
‎application uses URL input as a path to ‎Every file has a unique link, and is delivered
‎include files as part of its logical flow. ‎through the vendor CDN (Content
‎Therefore, it is possible to load the contents ‎Delivery Network)
‎of
‎SSRF with Local File Inclusion
‎local files by using different URL scheme ‎ here are two key-players in this field,
T
‎protocols; hence, an attacker can exfiltrate ‎Amazon Web Service (AWS), with S3 buckets;
‎the source code or data from the internal ‎and DigitalOcean, with Spaces. Both vendors
‎resources with no need to create a SSRF ‎provide a similar concept of file storage
‎listener or remote server. ‎and management.

‎ he Gopher was the first easy to learn and

T ‎ oth S3 Buckets and Spaces are based on
B
‎easy to use Internet protocol. It opened ‎HTTP endpoints that allow direct access to
‎the Internet to everyone, until the massive ‎the cloud-storage contents. Most companies
‎growth in popularity of the World Wide ‎usually use URL names that are related
‎Web in 1994, which replaced the Gopher as ‎to the company’s name (mycompany-bak,
‎the leading interface for burrowing the ‎my-company-static, etc.)
‎Internet. The Gopher was intended to be a
‎distributed document delivery service, and t‎ he first step
‎allowed users to explore, search, and retrieve ‎in finding the content would be to enumerate all possible
‎information from different locations ‎Gopher Protocol with SSRF ‎names of the company’s
‎inChapter ‎storage URLs.
‎a seamless fashion. But like any other ‎
‎evolved technology, it was later replaced by ‎Enumerate public cloud-storage instances
‎For AWS S3 buckets, the URL naming pattern is as follows:
‎the newer Web HTTP protocol we all know ‎1. storagename.s3.amazonaws.com
‎and are familiar with today. ‎2. storagename.s3-website-region.amazonaws.com (only if
‎In SSRF, the Gopher protocol is commonly ‎the bucket has the property “Static website hosting”)
‎used to send requests to other services ‎
‎and execute arbitrary commands without any ‎For DigitalOcean Spaces, the URL naming pattern is as follows:
‎additional headers. ‎1-storagename.region.digitaloceanspaces.com
‎region.digitaloceanspaces.com/storagename
‎ ne of the cool ways to bypass URL
O ‎
‎restrictions in SSRF is by using URL ‎For Azure Storage accounts, the URL naming pattern is as
‎redirection. ‎follows:
‎HTTP clients are not like browsers; they ‎
‎normally perform unsafe redirects (except ‎1-storagename.blob.core.windows.net (for Blob—most
‎in the case of Java). I’ve used this technique ‎common used)
‎for many bug bounties and Cross-Site ‎Chapter 5: Misconfigured Cloud Storage
‎2-storagename.file.core.windows.net (for file services
‎Scripting (XSS) exploitation cases. ‎storage)
‎SSRF with URL redirects
‎3-storagename.table.core.windows.net (for data table
‎ ip
T ‎storage)
‎I highly recommend using an URL shortening ‎4-storagename.queue.core.windows.net (for queue storage)
‎service such as bit.ly (e.g., ‎
‎https://bit.ly/2Kgbc9P) to redirect any ‎For Google Cloud Platform (GCP) Storage, the URL naming
‎addresses to localhost or internal IP ‎pattern is as follows:
‎addresses. ‎1.https://www.googleapis.com/storage/v1/b/storagename

‎ ommand
C
‎aws s3 ls s3://[bucketname] l‎et’s say that our S3 bucket is at testmeplz.s3.amazonaws.com.
‎aws s3 mv yourfile ‎The
‎s3://[bucketname]/test-file.txt ‎command would look like this:
‎ or this type of test, you should configure
F
‎aws s3 rm ‎aws s3 ls s3://testmeplz.s3.amazonaws.com –no-sign-request
‎the AWS CLI (Command Line Interface)
‎s3://[bucketname]/test-file.svg ‎However, as some buckets are hosted in specific regions, we will
‎in your machine to connect and S3 bucket
‎aws s3 mv yourfile ‎need to specify the
‎commands from the CLI.
‎s3://[bucketname] ‎bucket region in some cases, as follows:
‎Once you’ve installed it, you need to
‎Description ‎aws s3 ls s3://testmeplz.s3.amazonaws.com –no-sign-request
‎configure it with an access key, as described
‎Try to list all files within the S3 ‎–region us-
‎here: https://aws.amazon.com/developers/
‎Misconfigured S3 buckets ‎bucket ‎example, ‎west-2
‎access-keys/
‎Move local file to the remote S3
‎Then, you will be able to check if the bucket
‎bucket ‎ emember that S3 buckets share a global
R
‎lacks proper ACLs (Access Control
‎Delete remote file from the S3 ‎namespace, meaning that no two buckets
‎Lists) for either the buckets or objects, by
‎bucket ‎can share the same name. For example:
‎inspecting the response from the following
‎Upload file with public-read ‎demo1 and demo2 are two different buckets
‎commands to see whether they return
‎permission, ‎and are not necessarily related to the same
‎“AccessDenied” errors:
‎useful in case the object provides ‎company.
‎an
‎“AccessDenied” error when
‎accessing it

‎ uring an engagement, there’s usually not enough time to try most of the
D
‎methods
‎here manually. However, you can use many online tools that are available to
‎download from GitHub to help enumerate and discover cloud storage content. I
‎would like to mention a few that I’ve had a great experience with:
‎For Amazon S3 buckets, try the “AWSBucketDump” tool by Jordan Potti:
‎Automate hunting for cloud storage ‎https://github.com/jordanpotti/AWSBucketDump
‎For DigitalOcean Spaces, try the “Spaces-Finder” tool by Appsecco:
‎https://github.com/appsecco/spaces-finder
‎For GCP Storage, try the “GCPBucketBrute” tool by RhinoSecurityLabs:
‎https://github.com/RhinoSecurityLabs/GCPBucketBrute
‎For Azure Storage, try the “MicroBurst” tool by NetSPI:
‎https://github.com/NetSPI/MicroBurst