S3 Is A Security Nightmare (Common Exploit Showcase)

00:00

I wanted to do a video about the

00:01

security issues with S3 for a while if

00:03

you're using it yourself right now

00:04

there's a good chance you've made some

00:06

configuration issues that could cause

00:07

some massive security flaws in February

00:09

I found this blog post and I immediately

00:11

added it to my to-do for video content

00:13

because I want to talk about S3 and all

00:15

the things people do wrong with it and

00:16

how easy it is to find like an account

00:18

ID since then though Our Community

00:20

member Eva has done a lot of crazy

00:22

with S3 and other people's

00:24

implementations on top of it and

00:26

honestly this is a much much better post

00:28

and a much better video and I can't not

00:30

take the opportunity to read it and

00:31

share with you guys the hack and the

00:32

craziness that is how badly most people

00:35

set up and secure their S3 if you

00:36

recognize this blog post and this

00:38

website it might be because of my

00:39

earlier video 900 sites 125 million

00:42

accounts and one vulnerability they're

00:44

the ones who did the Firebase exploit

00:46

that compromised a ton of websites and

00:48

found $4 billion of potential Bank

00:51

credentials just crazy anyways

00:53

we're talking about S3 specifically how

00:55

most people suck at securing it and some

00:57

of the things that can result if you

00:58

don't set it up correctly tldr S3

01:01

pre-sign posts or other ways of

01:02

uploading files can easily be abused

01:05

with cross-site scripting or unwanted

01:06

paths for uploads yep if you're not

01:09

familiar with a presign post URL it's an

01:10

important concept that'll tldr for you

01:13

maybe this is going to be more than a

01:15

tldr excal draw my beloved let's get

01:19

diagramming you have a server we'll call

01:22

this your server your server is a box

01:25

that does things one of those things is

01:28

make sure a user is the right user so if

01:30

you have a user we'll have the user be a

01:31

circle let's say this user wants to

01:33

upload there's a couple different ways

01:35

they could do it they could literally

01:36

just send the file straight to your

01:38

service which is a file upload where the

01:43

user just immediately posts the file

01:44

maybe it's part of some form data maybe

01:46

they're just sending it as a post there

01:49

in is some way in which this user that's

01:51

on your service is sending this file to

01:53

your server usually this has more steps

01:55

though usually it's more like this where

01:58

the user will send

02:00

some type of like permission request to

02:03

make sure they have permission to

02:04

actually do this thing so which the

02:06

server applies yes you can

02:09

upload and then and only then do we

02:12

actually send the file to your server in

02:15

order for this to work you have to have

02:17

authentication checks at all of these

02:18

steps and once this permission has been

02:20

granted you probably have to REO too

02:22

because you want to make sure that this

02:23

is actually the person doing the upload

02:25

but you have to have some level of back

02:26

and forth here on top of that it's

02:28

important to recognize the size of of

02:30

these requests the permission request is

02:31

probably going to be like literally 1

02:33

kilobyte the response will probably also

02:35

be 1 kilobyte the file upload might be

02:38

50 megabytes so now your service is

02:40

eating 50 megabytes of egress where

02:42

you're passing this to your server we

02:44

even talked about the other side though

02:46

which uh honestly probably better to

02:47

have a different shape I'll use uh our

02:49

good old Diamond to represent external

02:51

services in this case S3 this is the

02:54

file storage on Amazon that most people

02:56

are using for actually storing their

02:57

files once this file has been uploaded

02:59

you you probably want to pass it to S3

03:01

so it's there forever so we're uploading

03:03

the file and then we have to Route this

03:05

through your service and then over to S3

03:08

so we have to eat the cost of ingesting

03:10

the file as well as passing it over we

03:12

have to wait till the whole file has

03:13

uploaded have it on our server and then

03:15

pass it if this file is too big good

03:17

luck there's a lot of things you have to

03:19

think about when you do this wouldn't it

03:21

be really nice if instead of the file

03:23

upload happening here you could just

03:25

have it go straight to S3 wouldn't that

03:27

solve a lot of these problems it

03:29

introduces own problems too which is

03:30

that your server needs to know when the

03:32

upload is done so once S3 is done

03:34

ideally it's going to call your service

03:36

and say by the way upload completed

03:39

because something has to tell your

03:40

server when the upload is done believe

03:42

it or not the way most Services work is

03:44

they'll actually have the user tell the

03:47

server hey I just finished uploading

03:49

because getting S3 to tell your server

03:51

that the uploads complete is way more

03:53

annoying than it should be the main

03:55

thing I want to talk about here though

03:56

is this skipping the step straight to S3

03:59

usually what will happen here is you'll

04:01

contact us three or do your own things

04:03

to sign to create what's called a

04:05

pre-sign poost URL which is what gets

04:07

sent back here you signed post sent the

04:10

pre-sign post URL is a URL that was

04:12

generated by your server that allows for

04:14

a user within a specific window with

04:16

specific permissions and like file

04:18

delimiters to then upload that file

04:20

straight to S3 so you'd request to your

04:22

server hey I want to upload a thing I

04:24

want to upload an image up to 4

04:26

megabytes your server then responds to

04:28

that user with the presign post URL that

04:30

they then post the image to to send it

04:31

to S3 pre-sign post is just the way we

04:34

do this for a bunch of reasons largely

04:36

because skipping your server means the

04:38

Ingress and the egress costs in and out

04:40

get entirely eliminated and the latency

04:42

is much better too because the user is

04:44

posting straight to S3 instead of going

04:45

through a middleman that said pre-sign

04:47

post URLs leave a lot of places to make

04:49

mistakes which is probably what this

04:51

post is focused on back to said post so

04:53

you might have recently seen Eva's

04:55

tweets about S3 upload and how many

04:57

companies can't stop messing it up

04:58

believe it or not this a much more

05:00

widespread issue than even my tweets

05:01

made it out to be check out Eva's

05:02

Twitter if you haven't already XYZ Eva

05:04

absolute Legend killing it with these

05:06

xpls and security discoveries I've

05:08

learned a lot from watching them so

05:09

check them out anyways this article

05:11

covers two common vulnerabilities that

05:13

they found within S3 uploads

05:15

specifically within pre-signed posts who

05:17

doesn't love a good cross-site script

05:19

xss everyone's favorite you probably saw

05:21

this one coming companies make a files.

05:23

some company.com or CDN Doom company.com

05:26

subdomain for S3 and when you combine

05:28

that with poor handling of content types

05:30

of an uploaded endpoint we can upload

05:32

HTML files and if their cookies are set

05:34

in properly we can use this to take over

05:36

accounts this is scary the piece you

05:39

need to know in order for this to make

05:41

sense is that HTML and JavaScript tags

05:44

that are served from a specific URL have

05:46

access to the cookies from that domain

05:48

so if you set a cookie on google.com and

05:52

you serve some HTML on google.com/

05:54

whatever that HTML when it runs in the

05:57

browser has access to the cookies that

05:58

are on that base URL if you set your

06:01

cookies in correctly you might also have

06:03

those on all your subdomains so if you

06:05

set your cookies where they work on

06:06

files. google.com as well as on

06:08

google.com like the root domain now if

06:11

you put an HTML page on files.

06:13

google.com and someone can open it you

06:14

have access to things that you shouldn't

06:16

have access to that is very very scary

06:19

for security reasons it's one of the

06:20

first things that people look for when

06:21

they're trying to exploit Services

06:23

because now if you are able to upload

06:25

files somewhere you shouldn't and they

06:27

can be HTML Pages you can send one of

06:29

those links like files.

06:32

google.com/ my page. HTML if in here I'm

06:35

doing some nasty stuff with cookies and

06:37

Google's cookies aren't configured

06:38

correctly I now have access to all of

06:40

your off credentials and I can now take

06:42

over your account cross- site scripting

06:44

is one of the scariest ways to exploit

06:46

things and now we're seeing just why

06:48

well soon we will see just why and what

06:50

is possible when you use these exploits

06:52

the first example Eva gave was a website

06:54

called tally Tally's a modern Google

06:55

forms alternative which allows form

06:57

Creation with images for this reason

06:59

they also have profile pictures they

07:01

need to store files that makes sense if

07:03

you have a form that has images you need

07:05

able to store images they chose a custom

07:06

is endpoint that uploads a file for you

07:09

to their S3 after performing checks

07:11

sounds good right not so fast here's

07:13

what the request for uploading something

07:15

looks like so here's the request API TSO

07:19

upload block asset you get back a

07:21

response you have the pixel image the

07:23

name the URL storage. T.O and here's the

07:27

image pink pixel. PNG image. PNG size 83

07:30

I'm sure it's like just 83 bytes cool

07:33

looks interesting but what if we tried

07:34

an HTML file instead hello image source

07:37

X on error alert one cool and now if we

07:41

see this she was able to post xss HTML

07:45

as an asset to this endpoint and get

07:47

back xss HTML with the MIM type being

07:50

correct this is a big deal because the

07:52

MIM type being correct means that you

07:54

can go to this page and your browser

07:55

will treat it as HTML and potentially

07:57

exploit it EV just pointed out that

07:59

browsers will actually try to MIM sniff

08:01

even if content type is set to something

08:03

else so if you don't manually set your

08:05

headers is the host of the service it's

08:08

possible that your browser will assume

08:10

it's HTML and try to run it anyways even

08:12

if you set some other M type elsewhere

08:14

so yeah be careful of that cool so now

08:17

that it's uploaded let's see what she

08:18

does here you can see Hello empty image

08:21

tag that is broken but it didn't alert

08:25

which means that something's getting

08:26

trimmed it looks like it didn't work

08:27

let's look at the Dom hm looks like

08:29

tally sanitized our xss payload out so

08:32

they kind of thought of this but it's

08:34

likely not foolproof that's very

08:36

interesting that they let you upload

08:37

HTML they just try to sanitize it before

08:40

it gets to the user to remove things

08:41

like JS tags fun let's see how this

08:45

works or more importantly how this gets

08:47

exploited looks like it got sanitized so

08:49

they thought of this yada yada on error

08:52

fetch attacker URL script. then a text

08:55

then doing some vals cool and then the

08:57

xmlns is W3 .org this is forcing the XML

09:01

parsing mode ooh this actually works

09:03

this allows me or bad actor to get

09:05

cross-site scripting on files. T.O which

09:08

has the session cookie in scope but it's

09:10

HTTP only how can we get the cookie when

09:12

it's HTTP only very interesting oh ha

09:16

thank you Eva for pointing that out it's

09:18

not an HTML Doc it's an XML doc because

09:21

they're uploading this as SVG XML very

09:24

clever very clever these are the things

09:27

where like if your service isn't

09:28

accounting for it you're SC and if

09:29

you're trying to DIY all these Solutions

09:31

they're not going to work we'll talk

09:32

about the easiest ways to work around

09:34

these things in a bit and early warning

09:35

this will include a couple self plugs so

09:37

know that but for now XML SVG XML

09:40

specifically seems like a good way to

09:42

hack some JavaScript into a place where

09:44

it doesn't belong and according to chat

09:47

both Eva and neotherm a lot of places

09:49

don't actually secure SVG uploads which

09:51

is terrifying but sadly doesn't surprise

09:53

me so how do we deal with the fact they

09:56

files endpoint is only HTTP not https

09:59

turns out that tally has an endpoint for

10:00

us that lets us get an authentication

10:02

token from a refresh cookie and its web

10:04

app also needs this token for the API so

10:06

this is intentional here's my final

10:08

payload served by my web server refret

10:10

this page with credentials included and

10:13

then a. json. then await fetch attack or

10:16

call back method post body headers

10:18

content type window location replace

10:21

to.so very

10:24

interesting and here's what my silly

10:26

little web server gets when someone

10:28

clicks this link

10:30

so here they get the full dump of this

10:32

user's information when somebody goes to

10:34

the page so if they send them that SVG

10:36

and they open it they get all of this

10:38

sent over afterwards the do replace is

10:41

just a cleanup so that it looks like you

10:42

just went to the T homepage it's not

10:44

actually important very good to

10:46

know authorization token no oh Eva

10:51

organization id never change never

10:55

change love this full pwned cool one

10:57

click full pone of your t account isn't

10:59

that just really good well no Bounty was

11:01

awarded for this I can't blame them

11:03

they're a startup and they still fix the

11:04

issue very quickly but as you can see

11:07

these exploits are very powerful so

11:09

obviously Eva continued S3 paths are

11:12

tasty some Services allow the user to

11:14

control the path and key of the file to

11:16

upload while uploading common libraries

11:18

also do this next S3 upload oh boy don't

11:21

tell me the next S3 upload library is

11:23

this easily compromised interesting this

11:26

is a problem when the server doesn't

11:27

check if the file already exists

11:29

allowing the client to override other

11:31

people's

11:32

files I see where this one's going and

11:34

this is again something that people

11:36

every service I've seen gets wrong do I

11:38

do the upload thing plug now or do I

11:39

wait a little bit it's very tempting to

11:41

plug upload thing right now but I'm

11:42

going to wait for the time being we'll

11:44

get to it in a bit I am sure exhibit B P

11:47

yes I did choose the specific example to

11:49

make it rhyme with

11:51

t never change

11:54

Eva anyways p is a way for streamers to

11:57

set up a donation page and split it

11:58

across their team such as their mods

12:00

they have Channel banners and channel

12:02

profile pictures so they need a way to

12:03

store that data they chose to use S3 to

12:05

do this here's what a request to upload

12:07

an image would look like API p g V10

12:09

upload sign ACL public read key is the

12:12

key for the file and then file types

12:14

image PNG I already am seeing the

12:16

problem here my assumption before we go

12:17

any further is that this key is

12:19

something you're setting which means you

12:20

can set this key to something that you

12:22

shouldn't be able to upload and then

12:23

override it then this returns a pre-sign

12:26

post URL the key is randomly generated

12:29

by the client so what happens if I

12:31

change the key into something that's

12:32

already used by another user well that's

12:34

exactly what I did and it worked so for

12:36

an entire minute Thor's profile picture

12:38

on P was a gnome while watching pirate

12:40

software for the Apex situation stream

12:42

found this donation link with P found a

12:43

way to override it basically it was just

12:45

a classic case of insecured three

12:46

uploads can I say on four yep but then

12:48

here alternatively use something like

12:50

upload thing to do the file uploads for

12:51

you I'm going to take the opportunity

12:53

here cuz you mentioned it first upload

12:55

thing was built to solve a lot of these

12:57

problems the number of places that I

12:59

seen that are doing file uploads just

13:01

like entirely incorrectly be it things

13:03

like this be it eating egress cost and

13:05

Ingress costs they shouldn't be eating

13:06

be it just not authenticating on their

13:08

servers properly be it allowing uploads

13:10

that they shouldn't there are so many

13:11

things I've seen like everyone get wrong

13:13

including the naming of these things

13:15

something that we do when we go to

13:17

upload thing files or when you're

13:19

uploading it in the first place if I

13:20

just go to my T3 Gallery tutorials files

13:23

all of these files have a key that we

13:24

set and if you look at the URL you'll

13:26

see the URL has this key in front front

13:29

and then it has the PNG at the end when

13:32

you save this file we're actually using

13:34

other things to get the name that aren't

13:36

included and this URL for the file is

13:38

generated by us so there's no world in

13:40

which you can override someone's file

13:43

here it's just not viable you can't do

13:45

it which is again really important and

13:48

most people configure these things

13:49

incorrectly that's why we did it so yeah

13:51

if you want to set up these things

13:53

correctly upload things really easy

13:55

really cheap we have a guide on how to

13:57

get started takes literal minutes to do

13:59

some people it actually takes literal

14:00

seconds to do we had a speedrun Content

14:02

people were setting up upload thing in

14:04

literally under 10 seconds on a new

14:05

service while also being fully

14:07

authenticated which is an important part

14:09

we actually require with upload thing

14:11

that you manage everything on your own

14:13

service so if we see here this file

14:15

router this is where you authenticate a

14:17

user to upload this code runs on your

14:19

server because we so strongly believe

14:21

that you need to authenticate the users

14:22

not us all of these patterns are things

14:24

that we're strictly enforcing because

14:26

most people do these things wrong so we

14:28

just made them the default we made doing

14:30

them correctly the default and as long

14:32

as you scroll through and copy paste all

14:33

this code it is very very hard to set up

14:36

upload thing in a way that is unsafe by

14:39

Design I also see some of the upload

14:41

things speedrun winners hanging out in

14:42

chat and bed set some insane scores on

14:45

that speedrun embed just link their

14:47

records upload thing speedrun of 9

14:49

seconds and 245 milliseconds absolute

14:52

Insanity there's a couple cheats here

14:54

that let them do it so fast specifically

14:56

that they use their bash history to fill

14:57

out most of the back end code here but

15:00

uh yeah that allowed them to set this up

15:02

and get it working in literally

15:05

seconds drag and drop the file go here

15:08

and then you see it already uploaded

15:10

actual

15:11

Insanity so it should be that easy

15:14

anyways setting this on the client is a

15:16

terrible idea and I hope that by now you

15:18

guys can understand why also allowing

15:19

the user to set ACL is terrifying the

15:21

results are not surprising either when

15:23

you leave things like this accessible to

15:25

the users terrifying they also didn't

15:28

offer a bug but they're also a smaller

15:30

startup so that's fair especially if

15:31

they fixed it since like you're getting

15:33

your value out of this blog post and

15:35

again check out Eva if you haven't

15:37

already she's good at this stuff you can

15:39

probably pay her to pone your stuff and

15:40

make sure you pay her for her efforts

15:42

because she knows what she's doing and

15:43

she deserves some money for it so how do

15:44

we fix this we could simply avoid the

15:46

examples above set your cookies properly

15:48

and not allow people to control the key

15:50

important stuff in conclusion S3 is

15:53

pretty hard to do because of the common

15:54

pitfalls people come across while using

15:56

third party libraries specifically

15:58

ignorance if you're using third- partyy

15:59

libraries to manage your actual uploads

16:01

it is pretty easy to do it wrong this is

16:03

something that we've extensively covered

16:05

in the past and S3's lack of good docs

16:07

amplifies the issue I absolutely agree

16:09

that's too hard though can somebody do

16:11

it for me there's many products

16:12

available to simplify S3 or redo it

16:14

entirely here's a few pumped to be the

16:16

first one in the list the B scale file

16:17

upload API from what I've heard is

16:19

pretty solid file stack I've heard a

16:21

little bit about but I'm less familiar

16:22

with uh simple file uploader and

16:24

Powerful apis to upload transform and

16:26

deliver things in your app cool haven't

16:28

used this one so I don't know how good

16:29

it is to recommend also their

16:31

competition so I'm not going to linger

16:32

on it too much but yes this is why we

16:34

built upload thing we put a lot of work

16:35

into it and I hope this video helps you

16:37

understand exactly why managing your

16:39

files is a scary thing and I see way too

16:41

many people doing it wrong hopefully

16:42

this incentivizes you to do it right and

16:44

until next time peace nerds