level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud Open in urlscan Pro
52.92.187.187  Public Scan

Form analysis
0 forms found in the DOM

Text Content

 _____  _       ____  __    __  _____
|     || |     /    ||  |__|  |/ ___/
|   __|| |    |  o  ||  |  |  (   \_ 
|  |_  | |___ |     ||  |  |  |\__  |
|   _] |     ||  _  ||  `  '  |/  \ |
|  |   |     ||  |  | \      / \    |
|__|   |_____||__|__|  \_/\_/   \___|



FLAWS - LEVEL 2


LESSON LEARNED

On AWS you can set up S3 buckets with all sorts of permissions and functionality
including using them to host static files. A number of people accidentally open
them up with permissions that are too loose. Just like how you shouldn't allow
directory listings of web servers, you shouldn't allow bucket listings.

EXAMPLES OF THIS PROBLEM

 * Directory listing of S3 bucket of Legal Robot (link) and Shopify (link).
 * Read and write permissions to S3 bucket for Shopify again (link) and Udemy
   (link). This challenge did not have read and write permissions, as that would
   destroy the challenge for other players, but it is a common problem.


AVOIDING THE MISTAKE

By default, S3 buckets are private and secure when they are created. To allow it
to be accessed as a web page, I had turn on "Static Website Hosting" and changed
the bucket policy to allow everyone "s3:GetObject" privileges, which is fine if
you plan to publicly host the bucket as a web page. But then to introduce the
flaw, I changed the permissions to add "Everyone" to have "List" permissions.
"Everyone" means everyone on the Internet. You can also list the files simply by
going to http://flaws.cloud.s3.amazonaws.com/ due to that List permission.

--------------------------------------------------------------------------------


LEVEL 2

The next level is fairly similar, with a slight twist. You're going to need your
own AWS account for this. You just need the free tier.

For hints, see Hint 1