I read the S3-docs and found that signing-errors disclosed the bucket-name. This can be used when CDNs are put in front of a bucket. It doesn't work in all cases, but many of them. You need an access-key to make it work (no secret-key)
S3 decloaker:
8
116
297
Replies
Many of the times, a specific path (/files/, /static/ etc) is used as a reverse proxy to S3, this script will to decloak those cases as well.
1
2
9
The reason to find the bucket is to make further ACL-checks on the bucket. When the bucket is hidden behind a CDN, you cannot make proper requests to the bucket so no ACL-checks can be made, that's why you need the bucket name.
0
1
8
@gwendallecoguic
Depends on the setup. If no headers or query params are passed to the bucket and only GET/HEAD allowed then no luck
0
0
3
@fransrosen
@hxmonsegur
FYI: The prim and "proper" English is
#uncloak
as opposed to decloak;
@TwitterMoments
already had a
#hashtag
for it from people mentioning other attacks when I wrote this: 🤓 (and
#Awesome
#script
btw!)
0
0
2
@olemoudi
@paradoxengine
you only need one that is working, doesn't matter what account it is connected to. the signature-error order first checks if the access-key exists or not
0
0
1
@fransrosen
Can you tell exactly how this tool works out ( usage of the tool )? It seems like not working properly now!!
0
0
0