aws extender

AWS Extender (Cloud Storage Tester) is a Burp plugin to assess permissions of cloud storage containers on AWS, Google Cloud and Azure.

VirtueSecurity
222
52
Python

AWS Extender

This Burp Suite extension can identify and test S3 buckets as well as Google Storage buckets and Azure Storage containers for common misconfiguration issues using the boto/boto3 SDK library.

How to install

You can install this extension directly from the BApp Store or manually by cloning this repo and following these steps:

  1. Open the Burp Suite Extender tab.
  2. Open the “Options” subtab.
  3. Set the “Folder for loading modules” setting to the pathname of the “BappModules” folder.
  4. Open the “Extensions” subtab.
  5. Click “Add” and set “Extension type” to “Python”.
  6. Set “Extension file (.py)” to the pathname of the “main.py” file and click Next.

Extension Settings

The settings tab provides the following settings:

Settings Tab

Below is a description of each:

Setting Description Required
AWS Access Key Your AWS account access key ID True*
AWS Secret Key Your AWS account secret key True*
AWS Session Key A temporary session token False
GS Access Key Your Google account access key ID True*
GS Secret Key Your Google account secret key True*
Wordlist Filepath A filepath for a wordlist of filenames False
Passive Mode Perform passive checks only N/A
SSL Verification Enable/disable SSL verification N/A

Notes:

  • AWS keys can be obtained from your AWS Management Console. For Google Cloud, see the documentation. Note that AWS/GS keys are only required for authenticated tests; if no keys are provided, only unauthenticated tests will run.

  • When SSL verification is enabled, buckets with a dot in their name will not be thoroughly tested due to SSL verification errors in boto (see: /boto/boto/issues/2836). You can either disable SSL Verification to test these (not recommended) or use this command-line script to test such buckets (/VirtueSecurity/aws-extender-cli).

  • It might be advisable to enable the “Passive Mode” option when testing on production environments in order to avoid any potentially disruptive bucket misconfiguration checks (see: #4).

Screenshots

S3 Bucket Misconfiguration

S3 Signed URL Excessive Expiration Time

GS Bucket Misconfiguration

Disclaimer:

Developers assume no liability and are not responsible for any misuse or damage caused by this tool. Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws.