Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ex0dus-0x/slamdunk

Cloud Storage Bucket Permissions Auditor
https://github.com/ex0dus-0x/slamdunk

Last synced: 9 days ago
JSON representation

Cloud Storage Bucket Permissions Auditor

Awesome Lists containing this project

README

        

# slamdunk

Cloud Storage Bucket Permissions Auditor

## Introduction

`slamdunk` aids webapp hackers to audit cloud storage bucket solutions (currently supports only AWS S3)
to find potential vulnerabilities and leaks that can be disclosed.

## How does it work?

`slamdunk` comprises of a _resolver_ and the main _auditor_. Both work in the following manner:

* The __resolver__ consumes URL(s), say generated by subdomain enumeration, and runs a set of heuristics
to try to figure out the unique bucket name identifier for it. This is useful for asset discovery
for a domain under test, and extrapolated results can be used then for further auditing.

* The __auditor__ consumes bucket name(s) and an IAM profile, and runs a supported set of actions from a playbook
(see `playbook.go`) to identify what permissions are possible in the given scope of the IAM principal,
which can potentially be misused for privilege escalation or information leaking.

## Usage

To install:

```
$ go get -u github.com/ex0dus-0x/slamdunk
```

You should also have the AWS CLI installed and configured, such that you have credentials
also included in the `~/.aws/credentials` path to use with `slamdunk`.

### Using the Resolver

You can pass one or more URLs to get started:

```
$ slamdunk resolve --url content.example.com --url images.example.com
+------------------------+--------------------+-----------------+------------------+
| URL | BUCKET NAME | REGION | BUCKET TAKEOVER? |
+------------------------+--------------------+-----------------+------------------+
| content.example.com | example-content | us-east-2 | false |
+------------------------+--------------------+-----------------+------------------+
| images.example.com | example-img-dev | No region found | true |
+------------------------+--------------------+-----------------+------------------+
```

It's more preferable to have a file of URLs seperated by newlines. This can be something you craft yourself with
specific targets, or something you populated with subdomains from ie. [OWASP Amass](https://github.com/OWASP/Amass).

You should also specify an output path to store the resultant buckets found, which you can then use for auditing.

```
$ slamdunk resolve --file assets.txt -o buckets.txt
```

### Using the Auditor

You can pass in one or more bucket names to get started:

```
$ slamdunk audit --name example-content --name example-img-dev
```

Or re-use the `buckets.txt` file generated by the resolver:

```
$ slamdunk audit --file buckets.txt
```

Or for a given IAM profile configured under `~/.aws/credentials`, test buckets that can be listed:

```
# will run against default profile
$ slamdunk audit --list

# will run against the `test` profile included
$ slamdunk audit --profile test --list
```

At the moment, all actions supported by the playbook will be executed against the bucket(s). You can run enable specific actions to also run:

```
$ slamdunk audit --file buckets.txt --enable PutObject --enable PutBucketAcl
```

## Playbook

`slamdunk`'s playbook can be retrieved with `slamdunk playbook`, and comprises of all the permissions that the auditor can run against targets that you
provide, as well as their corresponding AWS CLI equivalents you can use to test and configure individually further.

```
$ slamdunk playbook
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| ACTION | DESCRIPTION | EQUIVALENT COMMAND |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketPolicy | Read a bucket's policy. | aws s3api get-bucket-policy --bucket |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| PutBucketCors | Read a bucket's cross-original resource sharing configuration. | aws s3api put-bucket-cors --bucket --cors-configuration |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketLogging | Gets logging status of bucket and relevant permissions. | aws s3api get-bucket-logging --bucket |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketWebsite | Gets configuration if S3 bucket is configured to serve a site. | aws s3api get-bucket-website --bucket |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketEncryption | Get encryption configuration of bucket, if any. | aws s3api get-bucket-encryption --bucket |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketVersioning | Get versioning status of the bucket. | aws s3api get-bucket-versioning --bucket |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| ListObjects | Read and enumerate over objects in bucket. | aws s3api list-objects --bucket |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| PutObject | Write object to bucket with key. | aws s3api put-object --bucket --key --body |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketAcl | Read bucket's access control list. | aws s3api get-bucket-acl --bucket |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| PutBucketAcl | Write a new access control list for a bucket. | aws s3api put-bucket-acl --bucket --grant-full-control emailaddress= |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| PutBucketPolicy | Write a new policy for the bucket. | aws s3api put-bucket-acl --bucket --policy |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
| GetBucketCors | Read a bucket's cross-original resource sharing configuration. | aws s3api get-bucket-cors --bucket |
+---------------------+----------------------------------------------------------------+------------------------------------------------------------------------------------+
```

## License

[MIT](https://codemuch.tech/license.txt)