codeblue_2024_opentalks.pdf

Slide 1

Slide 1 text

Not Just Configuration Errors: A Comprehensive Look at Threats to Object Storage Services like S3 11/14/2024 azara(@a_zara_n)/ei(@ei01241) Flatt Security Inc.

Slide 2

Slide 2 text

01 Self introduction

Slide 3

Slide 3 text

Self-introduction: azara Norihide joined Flatt Security in 2020 and is engaged in professional services for web applications and public clouds. He is involved in activities to raise awareness of security in public cloud and web applications through activities in external organizations such as ISOG-J WG1, and speaking at and holding workshops at JSAC (2024), AWS DevDay (2023), and Security-JAWS DAYS (2023). Norihide Saito / azara (X @a_zara_n) Flatt Security Inc.

Slide 4

Slide 4 text

Self-introduction: ei Eiji Mori / ei (X @ei01241) Flatt Security Inc. After graduating from the Graduate School of Kagoshima University, Eiji joined Flatt Security in April 2021. As a security engineer, he is mainly in charge of web application and smartphone application assessments. He has been involved in security camp-related events in the past, so he has a wide range of interests, from hardware to software. His hobbies are vulnerability research and weight training.

Slide 5

Slide 5 text

02 Introduction

Slide 6

Slide 6 text

Introduction Do you think that you can detect all S3 vulnerabilities using just a tool0 Vulnerabilities that can be detected using a tooA Inadequate S3 setting ..C EDo XSS due to metadata modificatio( ... Vulnerabilities that cannot be detected using a tooA

Slide 7

Slide 7 text

03 What is S3?

Slide 8

Slide 8 text

S3 Object storage service provided by AW Application storag Image and video distributio& Static site distributio& ...

Slide 9

Slide 9 text

The Position of S3 in Cloud Environments In server-less architectures, it is often used as storage in environments composed of Lambda and API Gateway, etc.

Slide 10

Slide 10 text

04 Classify S3 threats

Slide 11

Slide 11 text

04-1 Vulnerabilities detectable by tools

Slide 12

Slide 12 text

Leakage of personal information and tampering with resources Improper S3 setting% 0 Improper S3 public access permission% 0 Improper S3 write permission% 0 ...

Slide 13

Slide 13 text

04-2 Vulnerabilities detectable by manual assessments

Slide 14

Slide 14 text

EDoS EDo3 0 An attack that focuses on metered billing and causes excessive consumption of cloud resources, resulting in high usage fee1 0 An attack on the total amount of data stored in a mont 0 An attack on the number of requests in a mont 0 An attack on the amount of data transferred in a month

Slide 15

Slide 15 text

Active Object Storage Metadata Tampering Risk of changing object storage metadat5 0 XSS due to changing Content-Typ1 0 RFD due to changing Content-DispositioT 0 EDoS due to changing storage clasI 0 ...

Slide 16

Slide 16 text

05 Vulnerabilities detectable by tools

Slide 17

Slide 17 text

Leakage of personal information and tampering with resources Improper S3 setting% 0 Improper S3 public access permission% 0 Improper S3 write permission% 0 ...

Slide 18

Slide 18 text

Leakage of personal information and tampering with resources Improper S3 setting# Improper S3 write permission# ... E Improper S3 public access permission# E E

Slide 19

Slide 19 text

Improper S3 public access permissions If this policy is granted to S3...

Slide 20

Slide 20 text

Improper S3 public access permissions Because S3 has public access, confidential information may be leaked to attackers. Read

Slide 21

Slide 21 text

Leakage of personal information and tampering with resources Improper S3 setting) 9 Improper S3 public access permission) 9 9 ... Improper S3 write permission)

Slide 22

Slide 22 text

Improper S3 write permissions If this policy is granted to S3...

Slide 23

Slide 23 text

Improper S3 write permissions Because it is possible to write to S3, the resources can be tampered with by attackers. Write

Slide 24

Slide 24 text

Measures H Narrow down the scope of users who are allowed to access the Principa@ H Do not set “AWS: *” inappropriately within the Principa@ H Set according to the “principle of least privilege” for Actions and Resource1 H If “Effect: Allow” is selected, do not set “Action: *” or “Resource: *” inappropriatelyB H Narrow down the scope of the S3 bucket that is allowed to access the ResourcF H Do not set “*” inappropriately in the ResourcF H Introduce a tool that can perform automatic detection

Slide 25

Slide 25 text

06 Vulnerabilities detectable by manual assessments

Slide 26

Slide 26 text

06-1 EDoS Economic Denial of Sustainability

Slide 27

Slide 27 text

Slide 28

Slide 28 text

EDoS EDo3 0 An attack that focuses on metered billing and causes excessive consumption of cloud resources, resulting in high usage fee1 An attack on the number of requests in a mont An attack on the amount of data transferred in a month 0 An attack on the total amount of data stored in a mont 0 0

Slide 29

Slide 29 text

Storage data capacity billing system 500 TB / month or more 0.023 USD / GB 450 TB / month 0.024 USD / GB 50 TB / month 0.025 USD / GB Storage data capacity Price The price varies depending on the amount of data stored on S The more data you store, the lower the price per GB

Slide 30

Slide 30 text

An attack on the total amount of data stored in a month Increase the total amount of data stored per month An attack on the total amount of data stored in a month Uploading a 500TB file 11500 USD / month huge

Slide 31

Slide 31 text

EDoS EDoP F An attack that focuses on metered billing and causes excessive consumption of cloud resources, resulting in high usage feeH F An attack on the total amount of data stored in a mont F F An attack on the amount of data transferred in a month An attack on the number of requests in a mont

Slide 32

Slide 32 text

Request billing system 8 The price does not change even if the number of requests increase( 8 The price differs depending on the metho1 8 In the case of GET, the price of the transferred data is also added GET, SELECT, and all other requests (per 1000 requests) 0.00037 USD PUT, COPY, POST, LIST requests (per 1000 requests) 0.0047 USD Billing Item Price

Slide 33

Slide 33 text

An attack on the number of requests in a month Increase in the amount charged per request due to high volume access An attack on the number of requests in a month 10 million requests sent 47 USD / month The damage was minor.

Slide 34

Slide 34 text

EDoS EDoR H An attack that focuses on metered billing and causes excessive consumption of cloud resources, resulting in high usage feeP H An attack on the total amount of data stored in a mont H An attack on the number of requests in a mont H An attack on the amount of data transferred in a month

Slide 35

Slide 35 text

Billing system for transferred data A The amount of data transferred from S3 will affect the price3 A The more data you transfer, the lower the price per GB will be. 150 TB / month or more 0.084 USD / GB 100 TB / month 0.086 USD / GB 40 TB / month 0.089 USD / GB 10 TB / month 0.114 USD / GB Amount of data transferred Price

Slide 36

Slide 36 text

An attack on the amount of data transferred in a month Increase in the amount charged due to the amount of cumulative data transferred An attack on the amount of data transferred in a month Downloading a 150TB file 12600 USD / month huge

Slide 37

Slide 37 text

Measures for file uploads @ Upload with size limit using content-length-range of signed UR3 @ Size verification using S3 trigger

Slide 38

Slide 38 text

Measures for file acquisition @ Using a CDN for large file distributio( @ Limiting the number of times a file can be downloaded

Slide 39

Slide 39 text

06-2 Active Object Storage Metadata Tampering

Slide 40

Slide 40 text

Active Object Storage Metadata Tampering Risk of changing object storage metadat3 RFD due to changing Content-DispositioH EDoS due to changing storage clas& ... q XSS due to changing Content-Typp q q q

Slide 41

Slide 41 text

Metadata Object = Data(Binary) + Metadat' 0 Data can be saved via the APÈ 0 Specific metadata such as can also be saved Content-Type

Slide 42

Slide 42 text

How to upload to S3 SDK Upload Pre Signed URL Upload Post Policy Upload

Slide 43

Slide 43 text

How to upload to S3 SDK Upload Pre Signed URL Upload Post Policy Upload

Slide 44

Slide 44 text

SDK Upload

Slide 45

Slide 45 text

SDK Upload

Slide 46

Slide 46 text

SDK Upload

Slide 47

Slide 47 text

SDK Upload

Slide 48

Slide 48 text

SDK Upload

Slide 49

Slide 49 text

XSS caused by Content-Type tampering

Slide 50

Slide 50 text

Content-Type Header that conveys the type of response conten3 6 The format is as follow 6 Content-Type: image/png

Slide 51

Slide 51 text

Interpretation differences between RFC and WHATWG

Slide 52

Slide 52 text

Interpretation differences between RFC and WHATWG

Slide 53

Slide 53 text

Interpretation differences between RFC and WHATWG

Slide 54

Slide 54 text

Interpretation differences between RFC and WHATWG

Slide 55

Slide 55 text

Bypassing Content-Type validation Code Implementations Bypass Examples startsWith(“image/png”) image/png, text/html endsWith(“image/png”) text/html; image/png /^image\/png/ image/png, text/html includes(“image/png”) text/html; image/png

Slide 56

Slide 56 text

CVE-2023-49090 and CVE-2024-29034

Slide 57

Slide 57 text

Carrierwave

Slide 58

Slide 58 text

Carrierwave You can set the allowlist for Content-Type.

Slide 59

Slide 59 text

Carrierwave The content-type string you set is entered as is into the regular expression.

Slide 60

Slide 60 text

Carrierwave The validation logic is generated using the regular expression of the character string set in allowlist. /image\/png/

Slide 61

Slide 61 text

Carrierwave

Slide 62

Slide 62 text

Carrierwave The validation logic is generated using the regular expression of the character string set in allowlist. /\Aimage\/png/

Slide 63

Slide 63 text

Carrierwave

Slide 64

Slide 64 text

Measures: User input validation P Content-Type is verified using an exact matcD P partial matches are not use' P startWitD P endsWitD P inclue5 P When using regular expressions, be careful of unintended matches with stringsU P /^image/(png|jpeg|jpg|gif)$/

Slide 65

Slide 65 text

Measures: File verification C Determine the value of Content-type based on the information in the filD C File heade9 C File extensio2 C Magic byte

Slide 66

Slide 66 text

06 Segregation of security services targeting the cloud at Flatt Security

Slide 67

Slide 67 text

Measures for vulnerabilities detectable by tools: Shisho Cloud Measures for vulnerabilities detectable by tools: Shisho Cloud A The only domestic SaaS that A Has a very competitive pricing model, with monthly fees going as low as can assess web applications and the cloud in their entirete 20,000 - 30,000 yen.

Slide 68

Slide 68 text

Vulnerabilities detectable by manual assessments: Security Assessments Vulnerabilities detectable by manual assessments: Security Assessments Security Assessments & Penetration Testing R In addition to the usual “black box” testing, we also perform “white box” testing, i.e. G R In addition to the increase in the volume of vulnerability reports, we can also provide more specific instructions on how to fix them. source code analysis

Slide 69

Slide 69 text

Combination of Shisho Cloud and manual security assessments Combination of Shisho Cloud and manual security assessments Furthermore, the two projects mutually reinforce each other. Security Assessments & Penetration Testing Provides advanced automation Allows you to focus on the parts that “only a person can do” The engineer's knowledge is returned as a detection rule. We continue to strengthen automation.

Slide 70

Slide 70 text

07 Conclusion

Slide 71

Slide 71 text

Conclusion 0 Leave the S3 settings to the tool and triag) 0 vulnerability assessment according to the context of the application Security Assessments & Penetration Testing Provides advanced automation Allows you to focus on the parts that “only a person can do” New knowledge gets added in as new detection rules. We continue to strengthen automation.