codeblue_2024_opentalks.pdf

Transcript

1. Not Just Configuration Errors: A Comprehensive Look at Threats to

   Object Storage Services like S3 11/14/2024 azara(@a_zara_n)/ei(@ei01241) Flatt Security Inc.

2. 01 Self introduction

3. Self-introduction: azara Norihide joined Flatt Security in 2020 and is

   engaged in professional services for web applications and public clouds. He is involved in activities to raise awareness of security in public cloud and web applications through activities in external organizations such as ISOG-J WG1, and speaking at and holding workshops at JSAC (2024), AWS DevDay (2023), and Security-JAWS DAYS (2023). Norihide Saito / azara (X @a_zara_n) Flatt Security Inc.

4. Self-introduction: ei Eiji Mori / ei (X @ei01241) Flatt Security

   Inc. After graduating from the Graduate School of Kagoshima University, Eiji joined Flatt Security in April 2021. As a security engineer, he is mainly in charge of web application and smartphone application assessments. He has been involved in security camp-related events in the past, so he has a wide range of interests, from hardware to software. His hobbies are vulnerability research and weight training.

5. 02 Introduction

6. Introduction Do you think that you can detect all S3

   vulnerabilities using just a tool0  Vulnerabilities that can be detected using a tooA  Inadequate S3 setting  ..C   EDo  XSS due to metadata modificatio(  ... Vulnerabilities that cannot be detected using a tooA

7. 03 What is S3?

8. S3 Object storage service provided by AW  Application storag

    Image and video distributio&  Static site distributio&  ...

9. The Position of S3 in Cloud Environments In server-less architectures,

   it is often used as storage in environments composed of Lambda and API Gateway, etc.

10. 04 Classify S3 threats

11. 04-1 Vulnerabilities detectable by tools

12. Leakage of personal information and tampering with resources Improper S3

    setting% 0 Improper S3 public access permission% 0 Improper S3 write permission% 0 ...

13. 04-2 Vulnerabilities detectable by manual assessments

14. EDoS EDo3 0 An attack that focuses on metered billing

    and causes excessive consumption of cloud resources, resulting in high usage fee1 0 An attack on the total amount of data stored in a mont 0 An attack on the number of requests in a mont 0 An attack on the amount of data transferred in a month

15. Active Object Storage Metadata Tampering Risk of changing object storage

    metadat5 0 XSS due to changing Content-Typ1 0 RFD due to changing Content-DispositioT 0 EDoS due to changing storage clasI 0 ...

16. 05 Vulnerabilities detectable by tools

17. Leakage of personal information and tampering with resources Improper S3

    setting% 0 Improper S3 public access permission% 0 Improper S3 write permission% 0 ...

18. Leakage of personal information and tampering with resources Improper S3

    setting# Improper S3 write permission# ... E Improper S3 public access permission# E E

19. Improper S3 public access permissions If this policy is granted

    to S3...

20. Improper S3 public access permissions Because S3 has public access,

    confidential information may be leaked to attackers. Read

21. Leakage of personal information and tampering with resources Improper S3

    setting) 9 Improper S3 public access permission) 9 9 ... Improper S3 write permission)

22. Improper S3 write permissions If this policy is granted to

    S3...

23. Improper S3 write permissions Because it is possible to write

    to S3, the resources can be tampered with by attackers. Write

24. Measures H Narrow down the scope of users who are

    allowed to access the Principa@ H Do not set “AWS: *” inappropriately within the Principa@ H Set according to the “principle of least privilege” for Actions and Resource1 H If “Effect: Allow” is selected, do not set “Action: *” or “Resource: *” inappropriatelyB H Narrow down the scope of the S3 bucket that is allowed to access the ResourcF H Do not set “*” inappropriately in the ResourcF H Introduce a tool that can perform automatic detection

25. 06 Vulnerabilities detectable by manual assessments

26. 06-1 EDoS Economic Denial of Sustainability

27. EDoS EDo3 0 An attack that focuses on metered billing

    and causes excessive consumption of cloud resources, resulting in high usage fee1 0 An attack on the total amount of data stored in a mont 0 An attack on the number of requests in a mont 0 An attack on the amount of data transferred in a month

28. EDoS EDo3 0 An attack that focuses on metered billing

    and causes excessive consumption of cloud resources, resulting in high usage fee1 An attack on the number of requests in a mont An attack on the amount of data transferred in a month 0 An attack on the total amount of data stored in a mont 0 0

29. Storage data capacity billing system 500 TB / month or

    more 0.023 USD / GB 450 TB / month 0.024 USD / GB 50 TB / month 0.025 USD / GB Storage data capacity Price ” The price varies depending on the amount of data stored on S™ ” The more data you store, the lower the price per GB

30. An attack on the total amount of data stored in

    a month Increase the total amount of data stored per month An attack on the total amount of data stored in a month Uploading a 500TB file 11500 USD / month huge

31. EDoS EDoP F An attack that focuses on metered billing

    and causes excessive consumption of cloud resources, resulting in high usage feeH F An attack on the total amount of data stored in a mont F F An attack on the amount of data transferred in a month An attack on the number of requests in a mont

32. Request billing system 8 The price does not change even

    if the number of requests increase( 8 The price differs depending on the metho1 8 In the case of GET, the price of the transferred data is also added GET, SELECT, and all other requests (per 1000 requests) 0.00037 USD PUT, COPY, POST, LIST requests (per 1000 requests) 0.0047 USD Billing Item Price

33. An attack on the number of requests in a month

    Increase in the amount charged per request due to high volume access An attack on the number of requests in a month 10 million requests sent 47 USD / month The damage was minor.

34. EDoS EDoR H An attack that focuses on metered billing

    and causes excessive consumption of cloud resources, resulting in high usage feeP H An attack on the total amount of data stored in a mont H An attack on the number of requests in a mont H An attack on the amount of data transferred in a month

35. Billing system for transferred data A The amount of data

    transferred from S3 will affect the price3 A The more data you transfer, the lower the price per GB will be. 150 TB / month or more 0.084 USD / GB 100 TB / month 0.086 USD / GB 40 TB / month 0.089 USD / GB 10 TB / month 0.114 USD / GB Amount of data transferred Price

36. An attack on the amount of data transferred in a

    month Increase in the amount charged due to the amount of cumulative data transferred An attack on the amount of data transferred in a month Downloading a 150TB file 12600 USD / month huge

37. Measures for file uploads @ Upload with size limit using

    content-length-range of signed UR3 @ Size verification using S3 trigger

38. Measures for file acquisition @ Using a CDN for large

    file distributio( @ Limiting the number of times a file can be downloaded

39. 06-2 Active Object Storage Metadata Tampering

40. Active Object Storage Metadata Tampering Risk of changing object storage

    metadat3 RFD due to changing Content-DispositioH EDoS due to changing storage clas& ... q XSS due to changing Content-Typp q q q

41. Metadata Object = Data(Binary) + Metadat' 0 Data can be

    saved via the APÈ 0 Specific metadata such as can also be saved Content-Type

42. How to upload to S3 SDK Upload Pre Signed URL

    Upload Post Policy Upload

43. How to upload to S3 SDK Upload Pre Signed URL

    Upload Post Policy Upload

44. SDK Upload

45. SDK Upload

46. SDK Upload

47. SDK Upload

48. SDK Upload

49. XSS caused by Content-Type tampering

50. Content-Type Header that conveys the type of response conten3 6

    The format is as follow 6 Content-Type: image/png

51. Interpretation differences between RFC and WHATWG

52. Interpretation differences between RFC and WHATWG

53. Interpretation differences between RFC and WHATWG

54. Interpretation differences between RFC and WHATWG

55. Bypassing Content-Type validation Code Implementations Bypass Examples startsWith(“image/png”) image/png, text/html

    endsWith(“image/png”) text/html; image/png /^image\/png/ image/png, text/html includes(“image/png”) text/html; image/png

56. CVE-2023-49090 and CVE-2024-29034

57. Carrierwave

58. Carrierwave You can set the allowlist for Content-Type.

59. Carrierwave The content-type string you set is entered as is

    into the regular expression.

60. Carrierwave The validation logic is generated using the regular expression

    of the character string set in allowlist. /image\/png/

61. Carrierwave

62. Carrierwave The validation logic is generated using the regular expression

    of the character string set in allowlist. /\Aimage\/png/

63. Carrierwave

64. Measures: User input validation P Content-Type is verified using an

    exact matcD P partial matches are not use' P startWitD P endsWitD P inclue5 P When using regular expressions, be careful of unintended matches with stringsU P /^image/(png|jpeg|jpg|gif)$/

65. Measures: File verification C Determine the value of Content-type based

    on the information in the filD C File heade9 C File extensio2 C Magic byte

66. 06 Segregation of security services targeting the cloud at Flatt

    Security

67. Measures for vulnerabilities detectable by tools: Shisho Cloud Measures for

    vulnerabilities detectable by tools: Shisho Cloud A The only domestic SaaS that A Has a very competitive pricing model, with monthly fees going as low as can assess web applications and the cloud in their entirete 20,000 - 30,000 yen.

68. Vulnerabilities detectable by manual assessments: Security Assessments Vulnerabilities detectable by

    manual assessments: Security Assessments Security Assessments & Penetration Testing R In addition to the usual “black box” testing, we also perform “white box” testing, i.e. G R In addition to the increase in the volume of vulnerability reports, we can also provide more specific instructions on how to fix them. source code analysis

69. Combination of Shisho Cloud and manual security assessments Combination of

    Shisho Cloud and manual security assessments Furthermore, the two projects mutually reinforce each other. Security Assessments & Penetration Testing Provides advanced automation Allows you to focus on the parts that “only a person can do” The engineer's knowledge is returned as a detection rule. We continue to strengthen automation.

70. 07 Conclusion

71. Conclusion 0 Leave the S3 settings to the tool and

    triag) 0 vulnerability assessment according to the context of the application Security Assessments & Penetration Testing Provides advanced automation Allows you to focus on the parts that “only a person can do” New knowledge gets added in as new detection rules. We continue to strengthen automation.