From e26d896dcc5ba1cea46e4d09346a4f4b57777045 Mon Sep 17 00:00:00 2001 From: Jinson Varghese Behanan <33680980+jinsonvarghese@users.noreply.github.com> Date: Wed, 27 Sep 2023 17:14:03 +0530 Subject: [PATCH] Update 11-Test_Cloud_Storage.md (#1101) --- .../11-Test_Cloud_Storage.md | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/11-Test_Cloud_Storage.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/11-Test_Cloud_Storage.md index 1ae35f0e3f..47bf8f5b8c 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/11-Test_Cloud_Storage.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/11-Test_Cloud_Storage.md @@ -6,9 +6,9 @@ ## Summary -Cloud storage services facilitate web application and services to store and access objects in the storage service. Improper access control configuration, however, may result in sensitive information exposure, data being tampered, or unauthorized access. +Cloud storage services allow web applications and services to store and access objects in the storage service. Improper access control configuration, however, may lead to the exposure of sensitive information, data tampering, or unauthorized access. -A known example is where an Amazon S3 bucket is misconfigured, although the other cloud storage services may also be exposed to similar risks. By default, all S3 buckets are private and can be accessed only by users that are explicitly granted access. Users can grant public access to both the bucket itself and to individual objects stored within that bucket. This may lead to an unauthorized user being able to upload new files, modify or read stored files. +A known example is where an Amazon S3 bucket is misconfigured, although the other cloud storage services may also be exposed to similar risks. By default, all S3 buckets are private and can be accessed only by users who are explicitly granted access. Users can grant public access not only to the bucket itself but also to individual objects stored within that bucket. This may lead to an unauthorized user being able to upload new files, modify or read stored files. ## Test Objectives @@ -16,9 +16,9 @@ A known example is where an Amazon S3 bucket is misconfigured, although the othe ## How to Test -First identify the URL to access the data in the storage service, and then consider the following tests: +First, identify the URL to access the data in the storage service, and then consider the following tests: -- read the unauthorized data +- read unauthorized data - upload a new arbitrary file You may use curl for the tests with the following commands and see if unauthorized actions can be performed successfully. @@ -35,6 +35,8 @@ To test the ability to upload a file: curl -X PUT -d 'test' 'https:///test.txt' ``` +In the above command, it is recommended to replace the single quotes (') with double quotes (") when running the command on a Windows machine. + ### Testing for Amazon S3 Bucket Misconfiguration The Amazon S3 bucket URLs follow one of two formats, either virtual host style or path-style. @@ -60,7 +62,7 @@ https://s3.Region.amazonaws.com/bucket-name/key-name As above, in the following example, `my-bucket` is the bucket name, `us-west-2` is the region, and `puppy.png` is the key-name: ```text -https://s3.us-west-2.amazonaws.com/my-bucket/puppy.jpg +https://s3.us-west-2.amazonaws.com/my-bucket/puppy.png ``` For some regions, the legacy global endpoint that does not specify a region-specific endpoint can be used. Its format is also either virtual hosted style or path-style. @@ -79,7 +81,7 @@ https://s3.amazonaws.com/bucket-name #### Identify Bucket URL -For black-box testing, S3 URLs can be found in the HTTP messages. The following example shows a bucket URL is sent in the `img` tag in a HTTP response. +For black-box testing, S3 URLs can be found in the HTTP messages. The following example shows a bucket URL is sent in the `img` tag in an HTTP response. ```html ... @@ -87,15 +89,15 @@ For black-box testing, S3 URLs can be found in the HTTP messages. The following ... ``` -For gray-box testing, you can obtain bucket URLs from Amazon's web interface, documents, source code, or any other available sources. +For gray-box testing, you can obtain bucket URLs from Amazon's web interface, documents, source code, and any other available sources. #### Testing with AWS-CLI -In addition to testing with curl, you can also test with the AWS Command-line tool. In this case `s3://` protocol is used. +In addition to testing with curl, you can also test with the AWS command-line tool. In this case `s3://` URI scheme is used. ##### List -The following command lists all the objects of the bucket when it is configured public. +The following command lists all the objects of the bucket when it is configured public: ```bash aws s3 ls s3:// @@ -103,7 +105,7 @@ aws s3 ls s3:// ##### Upload -The following is the command to upload a file +The following is the command to upload a file: ```bash aws s3 cp arbitrary-file s3://bucket-name/path-to-save @@ -125,7 +127,7 @@ upload failed: ./test2.txt to s3://bucket-name/test2.txt An error occurred (Acce ##### Remove -The following is the command to remove an object +The following is the command to remove an object: ```bash aws s3 rm s3://bucket-name/object-to-remove @@ -138,4 +140,5 @@ aws s3 rm s3://bucket-name/object-to-remove ## References - [Working with Amazon S3 Buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html) -- [flAWS 2](http://flaws2.cloud) +- [flAWS 2 - Learn AWS Security](http://flaws2.cloud) +- [curl Tutorial](https://curl.se/docs/manual.html)