Post

Subdomain takeover via AWS s3 bucket

Posted
By Bikram Kharal
2 min read

Hello guys,

Today we are going to talk about the Subdomain takeover vulnerability which can be easily identified and exploited by attackers causing maximum impact to the organization.

Subdomain takeover is a common vulnerability that allows an attacker to gain control over a subdomain of a target domain and redirect users intended for an organization’s domain to a website that performs malicious activities, such as phishing campaigns, stealing user cookies, etc.

First of all enumerate all the subdomains using subfinder and run httpx to it.

1

subfinder -dL domain.txt -all | httpx | tee livedomains.txt

Now we need to go through a tool called Subzy.It works based on matching response fingerprints from can-i-take-over-xyz.

1

subzy run --targets livedomains.txt

If we find the domain vulnerable to AWS s3 bucket takeover. When visiting we get responses like NoSuchBucket.

I found that many people are unable to takeover the subdomain though it shown NoSuchBucket cause they don’t know the region of the AWS s3 bucket.

To find an AWS s3 bucket region, we can simply run a dig command on our machine.

After running dig the command, we can see a few numbers of IPs in the ANSWER SECTION.

Now we need to send a curl request to ipinfo.io to know the AWS s3 bucket region.

Here we got to know that AWS region is eu-west-1. Hence we can create the above bucket in eu-west-1 region and the bucket will be created successfully.

Note: During my research i found that if there is IP of cloudfront we can't determine the aws s3 region as the IP belongs to cloudfront.

To create a AWS bucket you can follow the below steps:

  1. Go to the s3 section on AWS and change the region where you want to create the bucket.
  2. Now click on the Create Bucket button on the right side.
  3. Add the bucket name and turn on public access.
  4. Now clicking on the create bucket will be succeeded. And the website will start showing below response/error.
  5. To host our own content or make redirection we need to go to the Properties of the bucket and enable Static Web Hosting

Successfully we have taken over the AWS s3 bucket.

Thank you all for reading.

Subdomain Takeover, Bug Bounty
aws subdomain bugbounty
This post is licensed under CC BY 4.0 by the author.