I discovered that AWS S3 website endpoint incorrectly interpret trailing dot (which is actually essential part of FQDN according to RFC1034 ) in the website FQDN.
Instead of referring to the correct bucket endpoint gives "No such bucket error" revealing information about web site back-end.
I have not considered this initially as a security issue more as a misconfiguration or even expected undocumented behaviour , but found one case that could lead to others:
If web site use 3rd party DDOS and WAF protection service like CloudFlare this technic(adding trailing dot ) could reveal and expose web-site origin.
Example of the possible information disclose below:
Dns name resolution pointing to the CloudFlare:
Trailing dot error pointing to S3 bucket back-end with rest of information pointing to CloudFlare:
PS. One of the possible usage of the s3 back-end information leak could be s3 backet name squatting to block possible sub-domain usage due to the uniqueness of the s3 bucket names.
No comments:
Post a Comment