Closed erev0s closed 2 years ago
Hi @erev0s
The bucket 84r4ppx76qhqj4bsgu8w
is misconfigured and provides read access to all users. This is intentional.
The bucket 84r4ppx76qhqj4bsgu8w
contains a file called Congratulations.txt
. But you are right, the bucket looks empty now. Looks like the file got deleted.
I don't plan to provide write access to the bucket. Only read access should be there. I'll also review the bucket settings now. Thanks for bringing this up.
Hey @erev0s
I have re-uploaded the Congratulations.txt
file. The bucket can only be used to list the objects and read files. You should not be able to write or delete data to the bucket.
@0xgaurang thanks for the fast reply. Indeed i can verify that the congratulations.txt is available now.
There are two buckets in total with these creds
➜ InsecureShop git:(main) ✗ aws s3 ls
2020-08-16 17:28:46 84r4ppx76qhqj4bsgu8w
2020-11-15 18:31:10 elasticbeanstalk-us-west-2-094222047775
and on the second one the permission is set to full control. I uploaded the apk of the app there as poc.
Congrats on the nice app you made. Keep going
Hi @erev0s
Thank you for pointing out that you were able to upload files in elasticbeanstalk-us-west-2-094222047775
bucket. This is just a test bucket that I created for some research work. I have modified the permissions on this bucket and no one should be able to upload/delete files.
If Cognito Pool ID has list bucket permissions for unauthenticated entities, then you should be able to view the name of all the buckets owned by that organization. At this point, you need to identify which bucket has insecure permissions set.
Hope this resolves your query.
The given identity pool can access two buckets, from which one of them has full control granted to all users. Was that bucket supposed to contain something ? Based on the description here https://docs.insecureshopapp.com/insecureshop-challenges/aws-cognito-misconfiguration I thought that you probably had something different in mind (like give permission to write acl but not read - and the user should be first add the read permission to all users before seeing the files). Is that the case?
(also thought that someone before could have overwritten this for example and deleted any file you had there) In any case i dont know if the bucket is intentionally empty or not, hence this issue.