slamdunk

Cloud Storage Bucket Permissions Auditor

Introduction

slamdunk aids webapp hackers to audit cloud storage bucket solutions (currently supports only AWS S3) to find potential vulnerabilities and leaks that can be disclosed.

How does it work?

slamdunk comprises of a resolver and the main auditor. Both work in the following manner:

• The resolver consumes URL(s), say generated by subdomain enumeration, and runs a set of heuristics to try to figure out the unique bucket name identifier for it. This is useful for asset discovery for a domain under test, and extrapolated results can be used then for further auditing.

• The auditor consumes bucket name(s) and an IAM profile, and runs a supported set of actions from a playbook (see playbook.go) to identify what permissions are possible in the given scope of the IAM principal, which can potentially be misused for privilege escalation or information leaking.

Usage

To install:

$ go get -u github.com/ex0dus-0x/slamdunk

You should also have the AWS CLI installed and configured, such that you have credentials also included in the ~/.aws/credentials path to use with slamdunk.

Using the Resolver

You can pass one or more URLs to get started:

$ slamdunk resolve --url content.example.com --url images.example.com
+------------------------+--------------------+-----------------+------------------+
|          URL           |    BUCKET NAME     |     REGION      | BUCKET TAKEOVER? |
+------------------------+--------------------+-----------------+------------------+
| content.example.com    |  example-content   |    us-east-2    | false            |
+------------------------+--------------------+-----------------+------------------+
| images.example.com     |  example-img-dev   | No region found | true             |
+------------------------+--------------------+-----------------+------------------+

It's more preferable to have a file of URLs seperated by newlines. This can be something you craft yourself with specific targets, or something you populated with subdomains from ie. OWASP Amass.

You should also specify an output path to store the resultant buckets found, which you can then use for auditing.

$ slamdunk resolve --file assets.txt -o buckets.txt

Using the Auditor

You can pass in one or more bucket names to get started:

$ slamdunk audit --name example-content --name example-img-dev

Or re-use the buckets.txt file generated by the resolver:

$ slamdunk audit --file buckets.txt

Or for a given IAM profile configured under ~/.aws/credentials, test buckets that can be listed:

# will run against default profile
$ slamdunk audit --list

# will run against the `test` profile included
$ slamdunk audit --profile test --list

At the moment, all actions supported by the playbook will be executed against the bucket(s). You can run enable specific actions to also run:

$ slamdunk audit --file buckets.txt --enable PutObject --enable PutBucketAcl

Playbook

slamdunk's playbook can be retrieved with slamdunk playbook, and comprises of all the permissions that the auditor can run against targets that you provide, as well as their corresponding AWS CLI equivalents you can use to test and configure individually further.

$ slamdunk playbook
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
|       ACTION        |                          DESCRIPTION                           |                                 EQUIVALENT COMMAND                                 |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketPolicy     | Read a bucket's policy.                                        | aws s3api get-bucket-policy --bucket <NAME>                                        |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| PutBucketCors       | Read a bucket's cross-original resource sharing configuration. | aws s3api put-bucket-cors --bucket <NAME> --cors-configuration <FILE>              |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketLogging    | Gets logging status of bucket and relevant permissions.        | aws s3api get-bucket-logging --bucket <NAME>                                       |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketWebsite    | Gets configuration if S3 bucket is configured to serve a site. | aws s3api get-bucket-website --bucket <NAME>                                       |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketEncryption | Get encryption configuration of bucket, if any.                | aws s3api get-bucket-encryption --bucket <NAME>                                    |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketVersioning | Get versioning status of the bucket.                           | aws s3api get-bucket-versioning --bucket <NAME>                                    |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| ListObjects         | Read and enumerate over objects in bucket.                     | aws s3api list-objects --bucket <NAME>                                             |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| PutObject           | Write object to bucket with key.                               | aws s3api put-object --bucket <NAME> --key <KEY> --body <FILE>                     |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketAcl        | Read bucket's access control list.                             | aws s3api get-bucket-acl --bucket <NAME>                                           |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| PutBucketAcl        | Write a new access control list for a bucket.                  | aws s3api put-bucket-acl --bucket <NAME> --grant-full-control emailaddress=<EMAIL> |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| PutBucketPolicy     | Write a new policy for the bucket.                             | aws s3api put-bucket-acl --bucket <NAME> --policy <FILE>                           |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketCors       | Read a bucket's cross-original resource sharing configuration. | aws s3api get-bucket-cors --bucket <NAME>                                          |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+

License

MIT