How to spot and troubleshoot AWS S3 bucket object traversal issues

Felixs JiangFelixs Jiang
4 min read

Introduction

The object traversal issue in AWS S3 buckets is a common problem that can be caused by two main reasons: incorrect ACL (Access Control List) configurations and incorrect policy configurations. In the following sections, we will provide a detailed explanation of how to detect and prevent these misconfigurations.

Introduction to Object Traversal Issue

Let's consider a storage bucket where, upon opening it, we can see the following content:

As we can observe, the bucket directly lists the files it contains, indicating the presence of an object traversal issue. Now, let's delve into why this issue occurs.

1. Incorrect ACL Configuration

When the ACL of a storage bucket is configured to provide "List" permissions to everyone, it results in an object traversal problem.

2. Incorrect Policy Configuration

In addition to ACL misconfigurations, incorrect policy configurations can also lead to the same problem. Here's an example of a policy with an erroneous configuration:

{
    "Version": "2012-10-17",
    "Id": "test",
    "Statement": [
        {
            "Sid": "test",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::selefra-test-xxxx"
        }
    ]
}

In this policy, all users are granted "s3:ListBucket" permissions for the "selefra-test-xxxx" bucket, which also leads to object traversal issues.

Fixing the Object Traversal Issue

To fix the issue caused by ACL misconfiguration, it is sufficient to uncheck the "List" option for "Everyone." For incorrect policy configurations, it is recommended to follow the principle of least privilege, granting specific permissions to designated users instead of providing access to all users.

Quickly Discovering Object Traversal Issues Using Selefra

Manually identifying these problems can be time-consuming and difficult to perform in bulk. Selefra can assist in quickly detecting these risks.

Selefra Project Repository: github.com/selefra/selefra

Regular Usage of Selefra

Let's start by installing Selefra:

brew tap selefra/tap
brew install selefra/tap/selefra

Next, create a new project folder:

mkdir selefra-test
cd selefra-test

Copy the following YAML file into this folder:

selefra:
    name: selefra-test
    connection:
      type: postgres
      username: your_username
      password: your_password
      host: 127.0.0.1
      port: 5432
      database: postgres
      sslmode: disable
    log_level: info
    providers:
        - name: aws
          source: aws
          version: v0.1.0
providers:
    - name: aws
      provider: aws
      cache: 7d
rules:
  - name: bucket_object_traversal_by_policy
    metadata:
      title: S3 bucket object traversal by policy
    query: |-
      SELECT
        DISTINCT(a1.*)
      FROM
        aws_s

3_buckets a1,
        json_array_elements(a1.policy :: json -> 'Statement') a2
      WHERE
      (
        a2 ->> 'Action' = 's3:ListBucket'
        OR a2 ->> 'Action' = 's3:List*'
        OR a2 ->> 'Action' = 's3:*'
      )
      AND a2 ->> 'Effect' = 'Allow'
      AND (
        a2 ->> 'Principal' = '*'
        OR a2 -> 'Principal' ->> 'AWS' = '*'
      )
      AND right(substring(a2 ->> 'Resource', -2), 2) <> '/*' ;
    output: "S3 bucket object traversal by policy, arn: { {.arn} }"
  - name: bucket_object_traversal_by_acl
    metadata:
      title: S3 bucket object traversal by acl
    query: |-
      SELECT
        DISTINCT(a1.*)
      FROM
        aws_s3_buckets a1,
        aws_s3_bucket_grants a2
      WHERE
       a1.selefra_id = a2.aws_s3_buckets_selefra_id
        AND a2.grantee :: jsonb ->> 'URI' = '<http://acs.amazonaws.com/groups/global/AllUsers>'
        AND a2.permission IN ('READ', 'FULL_CONTROL');
    output: "S3 bucket object traversal by acl, arn: { {.arn} }"

This configuration consists of three modules: "selefra," "providers," and "rules." Under the "selefra" module, configure your PostgreSQL database connection details in the "connection" block. The "providers" module includes the AWS provider and its cache duration. The "rules" module contains the configurations related to the detection rules. The "title" field represents the title of the detection strategy, and the "query" field contains the SQL query used to execute the detection strategy by querying the database for at-risk resources.

Before starting the detection, configure your AWS credentials using the following command:

aws configure

Then, run the following command to execute Selefra:

selefra apply

Selefra will initiate the detection process, and you will receive results similar to the example below:

In the results, you can identify the at-risk storage buckets. In addition to the above method, Selefra also integrates the chatGPT feature, allowing you to discover risk points by directly querying Selefra.

Selefra's GPT Feature

Similar to the previous steps, create a new folder and copy the following YAML file into it:

selefra:
    name: selefra-test
    connection:
      type: postgres
      username: yourusername
      password: yourpassword
      host: 127.0.0.1
      port: 5432
      database: postgres
      sslmode: disable
    log_level: info
        openai_api_key: your_openai_api_key
    openai_mode: gpt-4
    openai_limit: 10
    providers:
        - name: aws
          source: aws
          version: v0.1.0
providers:
    - name: aws
      provider: aws
      cache: 7d
rules:

In this configuration, you need to provide your own OpenAI API key and specify whether to use GPT-4 or GPT-

3.5. The "rules" block can be left empty as it will be automatically generated by AI.

Before starting the detection, configure your AWS credentials, and then you can use the GPT feature as follows:

selefra gpt "Query S3 Buckets that allow list objects"

The output will provide you with the discovered risks in your cloud environment using just a simple query.

As shown above, you can easily identify risks in your cloud environment with just a single query, making it very convenient.

Conclusion

Object traversal issues in S3 storage buckets are common and important to address. Through this article, I hope to help you understand and mitigate the object traversal issues in AWS S3 storage. With the help of Selefra, we can make the cloud more secure.

1
Subscribe to my newsletter

Read articles from Felixs Jiang directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Felixs Jiang
Felixs Jiang