How I was able to takeover s3 bucket of a trading site
Assalamualaikum to all. My name is Imran Huda. I’m from bangladesh.I’m a student and I have been doing bug bounty for almost two years . I just crossed 20 in september. A little introduction was needed as it’s my first writeup.
Today I will share a story how i was able to find a s3 bucket takeover on a trading and investment site. This is not new or not a interesting one but i thought to share it to the community. The site is private on Hackerone so will call it https://private.com . The site only had the main domain in scope and lots of hacker’s was in thanks page. For that i was not thinking to find anything easily.
(To all of my muslim friends Boycott French Products)
The unclaimed bucket :
To find s3 bucket on webpages I have been using a Firefox Add-on called “S3 Bucket List by Alec Blance” you can find it here .I was surfing https://private.com and saw that I have captured some s3 bucket on my Add-on . One of the bucket caught my attention as i was seeing “NoSuchBucket”
The bucket may have been accidently deleted or they have forgotten to remove from the site. The bucket had a image file “blahblah.png” and it was “https://theoneiwaslookingfor.s3.amazonaws.com/blahblah.png”
I created the bucket and uploaded a png file with the same name “blahblah.png”. After that when anyone visits the page they will see my uploaded content on the page
Then I wrote a sweet little report.It was triaged and rewarded within a day.
Check my Hackerone and Bugcrowd profile.
You can contact me in Twitter.
Thats all. Thanks for reading and be safe.