Open sumgr0 opened 5 years ago
hakluke
commented
5 years ago @sumgro usually if it is an S3 bucket, the bucket name would be in the HTTP response, in which case you could takeover the domain by simply registering that bucket name.
I'm not sure if this is always the case though!
sumgr0
commented
5 years ago @hakluke thanks for the suggestion. I was able to discover the bucket name from the HTTP response.
Now I understand, that the S3 bucket is pointed at using the Fastly service.
One more question: What is the best way to confirm the endpoint given by AWS is the exact match with one pointed to by fastly service.
hakluke
commented
5 years ago @sumgro You can derive the bucket endpoint from the bucket name using the schema outlined in this doc: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html
http://bucket.s3.aws-region.amazonaws.com.
http://bucket.s3.amazonaws.com
Service name
AWS S3 && Fastly
I've come across a sub-domain with a CNAME pointing to Fastly.net service while the actual http fingerprint confirms the S3 bucket Not in Use.
Is there are possibility of takeover through S3 bucket (which is not known) while the CNAME points to i2.shared.us-eu.fastly.net?