Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/nikhil1232/Bucket-Flaws

Bucket Flaws ( S3 Bucket Mass Scanner ): A Simple Lightweight Script to Check for Common S3 Bucket Misconfigurations
https://github.com/nikhil1232/Bucket-Flaws

application-security aws-s3 bucket bug-bounty bugbounty s3 s3-bucket s3-buckets security-misconfiguration wapt

Last synced: 22 days ago
JSON representation

Bucket Flaws ( S3 Bucket Mass Scanner ): A Simple Lightweight Script to Check for Common S3 Bucket Misconfigurations

Host: GitHub
URL: https://github.com/nikhil1232/Bucket-Flaws
Owner: nikhil1232
Created: 2020-01-06T15:28:56.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2020-07-26T03:21:41.000Z (over 4 years ago)
Last Synced: 2024-08-05T17:45:39.050Z (4 months ago)
Topics: application-security, aws-s3, bucket, bug-bounty, bugbounty, s3, s3-bucket, s3-buckets, security-misconfiguration, wapt
Language: Shell
Homepage:
Size: 279 KB
Stars: 56
Watchers: 3
Forks: 19
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - nikhil1232/Bucket-Flaws - Bucket Flaws ( S3 Bucket Mass Scanner ): A Simple Lightweight Script to Check for Common S3 Bucket Misconfigurations (Shell)

README

# Bucket Flaws (S3 Bucket Mass Scanner)
## Bucket Flaws: A Simple Lightweight Script that can take a list of bucket names and check for Common S3 Bucket Misconfigurations

![Image of BucketFlaws](https://github.com/nikhil1232/Bucket-Flaws/blob/master/images/upload.png)

This is a very small and light bash script that can take both a list of buckets as well a single bucket and perform some basic security checks.

## Misconfigurations

### 1) Unauthenticated Bucket Access

- Checks for Directory Listing
- Tries to upload a file (upload.png)

### 2) Authenticated Bucket Access (This means being authenticated to any aws account)

#### Bucket Level Checks

- Checks for Directory Listing
- Checks for some interesting files/folders based on the keywords provided in the sensitive.txt
- Tries to fetch the Bucket ACL
- Tries to upload a file (bucket.png)
- Tries to dump the whole bucket (optional -d flag)
- Tries to modify the Bucket ACL (optional -p flag)

#### Object Level Checks

- Tries to fetch object ACL
- Tries to fetch object metadata
- Tries to dump the object (optional)
- Tries to modify the object ACL

## Usage

### Install Reqirements:
**pip install -r requirements.txt**

Usage:
-u for single bucket
-f for file containing the list of all the buckets
-o for performing object level analysis
-p for changing the bucket ACL if allowed
-d for dumping the whole bucket if allowed
-h for help

Eg: **./bucketflaws.sh -u bucketname**
**./bucketflaws.sh -f filepath**

For performing object level checks as well:

**./bucketflaws.sh -u bucketname -o**

For modifying Bucket ACL if possible:

**./bucketflaws.sh -u bucketname -o -p**

Performs all the checks as well as tries to dump the whole bucket(Recommended way):

**./bucketflaws.sh -u bucketname -o -p -d**

Same as above but for a list of buckets:

**./bucketflaws.sh -f filepath -o -p -d**

For storing the output to a txt file:

**./bucketflaws.sh -f filepath -o -p -d | tee output.txt && sed -i 's/\x1B\[[0-9;]\+[A-Za-z]//g' output.txt**

![Image of BucketFlaws -u](https://raw.githubusercontent.com/nikhil1232/Bucket-Flaws/master/images/bucket.png)

![Image of BucketFlaws -f](https://raw.githubusercontent.com/nikhil1232/Bucket-Flaws/master/images/bucket-list.png)

## Walkthrough

[![Bucket-Flaws](https://i.ibb.co/ZS8YtG8/https-drive-google.jpg)](https://drive.google.com/file/d/1C56TP4ZB99b6vMcEI8vLxyfCHE-kCUgR/preview "Bucket-Flaws")

**NOTE: For Authenticated Check you need to make sure you have configured your aws cli.**

Refer this link for configuring AWS CLI:
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html