Home

Awesome

AWS Extender

This Burp Suite extension can identify and test S3 buckets as well as Google Storage buckets and Azure Storage containers for common misconfiguration issues using the boto/boto3 SDK library.

How to install

You can install this extension directly from the BApp Store or manually by cloning this repo and following these steps:

  1. Open the Burp Suite Extender tab.
  2. Open the "Options" subtab.
  3. Set the "Folder for loading modules" setting to the pathname of the "BappModules" folder.
  4. Open the "Extensions" subtab.
  5. Click "Add" and set "Extension type" to "Python".
  6. Set "Extension file (.py)" to the pathname of the "main.py" file and click Next.

Extension Settings

The settings tab provides the following settings:

<a href="/screenshots/settings.png?raw=true" target="_blank"><img src="/screenshots/settings_thumb.png?raw=true" alt="Settings Tab"></a>

Below is a description of each:

SettingDescriptionRequired
AWS Access KeyYour AWS account access key IDTrue*
AWS Secret KeyYour AWS account secret keyTrue*
AWS Session KeyA temporary session tokenFalse
GS Access KeyYour Google account access key IDTrue*
GS Secret KeyYour Google account secret keyTrue*
Wordlist FilepathA filepath for a wordlist of filenamesFalse
Passive ModePerform passive checks onlyN/A
SSL VerificationEnable/disable SSL verificationN/A

Notes:

Screenshots

<a href="/screenshots/S3_bucket_misconfiguration.png?raw=true" target="_blank"><img src="/screenshots/S3_bucket_misconfiguration.png?raw=true" alt="S3 Bucket Misconfiguration"></a>

<a href="/screenshots/excessive_signed_url.png?raw=true" target="_blank"><img src="/screenshots/excessive_signed_url.png?raw=true" alt="S3 Signed URL Excessive Expiration Time"></a>

<a href="/screenshots/GS_bucket_misconfiguration.png?raw=true" target="_blank"><img src="/screenshots/GS_bucket_misconfiguration.png?raw=true" alt="GS Bucket Misconfiguration"></a>

Disclaimer:

Developers assume no liability and are not responsible for any misuse or damage caused by this tool. Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws.