This Burp Suite extension can identify and test S3 buckets as well as Google Storage buckets and Azure Storage containers for common misconfiguration issues using the boto/boto3 SDK library.
How to install
You can install this extension directly from the BApp Store or manually by cloning this repo and following these steps:
- Open the Burp Suite Extender tab.
- Open the "Options" subtab.
- Set the "Folder for loading modules" setting to the pathname of the "BappModules" folder.
- Open the "Extensions" subtab.
- Click "Add" and set "Extension type" to "Python".
- Set "Extension file (.py)" to the pathname of the "main.py" file and click Next.
The settings tab provides the following settings:
Below is a description of each:
|AWS Access Key||Your AWS account access key ID||True|
|AWS Secret Key||Your AWS account secret key||True|
|AWS Session Key||A temporary session token||False|
|GS Access Key||Your Google account access key ID||True|
|GS Secret Key||Your Google account secret key||True|
|Wordlist Filepath||A filepath for a wordlist of filenames||False|
|Passive Mode||Perform passive checks only||N/A|
|SSL Verification||Enable/disable SSL verification||N/A|
AWS keys can be obtained from your AWS Management Console. For Google Cloud, see the documentation. Note that AWS/GS keys are only required for authenticated tests; if no keys are provided, only unauthenticated tests will run.
When SSL verification is enabled, buckets with a dot in their name will not be thoroughly tested due to SSL verification errors in boto (see: /boto/boto/issues/2836). You can either disable SSL Verification to test these (not recommended) or use this command-line script to test such buckets (/VirtueSecurity/aws-extender-cli).