Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

AWS Extender

This Burp Suite extension can identify and test S3 buckets as well as Google Storage buckets and Azure Storage containers for common misconfiguration issues using the boto/boto3 SDK library.

How to install

You can install this extension directly from the BApp Store or manually by cloning this repo and following these steps:

  1. Open the Burp Suite Extender tab.
  2. Open the "Options" subtab.
  3. Set the "Folder for loading modules" setting to the pathname of the "BappModules" folder.
  4. Open the "Extensions" subtab.
  5. Click "Add" and set "Extension type" to "Python".
  6. Set "Extension file (.py)" to the pathname of the "main.py" file and click Next.

Extension Settings

The settings tab provides the following settings:

Settings Tab

Below is a description of each:

Setting Description Required
AWS Access Key Your AWS account access key ID True
AWS Secret Key Your AWS account secret key True
AWS Session Key A temporary session token False
GS Access Key Your Google account access key ID True
GS Secret Key Your Google account secret key True
Wordlist Filepath A filepath for a wordlist of filenames False
Passive Mode Perform passive checks only N/A
SSL Verification Enable/disable SSL verification N/A

Notes:

  • AWS keys can be obtained from your AWS Management Console. For Google Cloud, see the documentation. Note that AWS/GS keys are only required for authenticated tests; if no keys are provided, only unauthenticated tests will run.

  • When SSL verification is enabled, buckets with a dot in their name will not be thoroughly tested due to SSL verification errors in boto (see: /boto/boto/issues/2836). You can either disable SSL Verification to test these (not recommended) or use this command-line script to test such buckets (/VirtueSecurity/aws-extender-cli).

Screenshots

S3 Bucket Misconfiguration

S3 Signed URL Excessive Expiration Time

GS Bucket Misconfiguration

About

AWS Extender (Cloud Storage Tester) is a Burp plugin to assess permissions of cloud storage containers on AWS, Google Cloud and Azure.

Resources

License

Packages

No packages published

Languages