Introduction

The object traversal issue in AWS S3 buckets is a common problem that can be caused by two main reasons: incorrect ACL (Access Control List) configurations and incorrect policy configurations. In the following sections, we will provide a detailed explanation of how to detect and prevent these misconfigurations.

Introduction to Object Traversal Issue
Let's consider a storage bucket where, upon opening it, we can see the following content:

As we can observe, the bucket directly lists the files it contains, indicating the presence of an object traversal issue. Now, let's delve into why this issue occurs.

1. Incorrect ACL Configuration When the ACL of a storage bucket is configured to provide "List" permissions to everyone, it results in an object traversal problem.

1. Incorrect Policy Configuration In addition to ACL misconfigurations, incorrect policy configurations can also lead to the same problem. Here's an example of a policy with an erroneous configuration:

{ "Version": "2012-10-17", "Id": "test", "Statement": [ { "Sid": "test", "Effect": "Allow", "Principal": "*", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::selefra-test-xxxx" } ] } 

In this policy, all users are granted "s3:ListBucket" permissions for the "selefra-test-xxxx" bucket, which also leads to object traversal issues.

Fixing the Object Traversal Issue
To fix the issue caused by ACL misconfiguration, it is sufficient to uncheck the "List" option for "Everyone." For incorrect policy configurations, it is recommended to follow the principle of least privilege, granting specific permissions to designated users instead of providing access to all users.

Quickly Discovering Object Traversal Issues Using Selefra
Manually identifying these problems can be time-consuming and difficult to perform in bulk. Selefra can assist in quickly detecting these risks.

Selefra Project Repository: github.com/selefra/selefra

Regular Usage of Selefra
Let's start by installing Selefra:

brew tap selefra/tap
brew install selefra/tap/selefra
Next, create a new project folder:

mkdir selefra-test
cd selefra-test
Copy the following YAML file into this folder:

selefra: name: selefra-test connection: type: postgres username: your_username password: your_password host: 127.0.0.1 port: 5432 database: postgres sslmode: disable log_level: info providers: - name: aws source: aws version: v0.1.0 providers: - name: aws provider: aws cache: 7d rules: - name: bucket_object_traversal_by_policy metadata: title: S3 bucket object traversal by policy query: |- SELECT DISTINCT(a1.*) FROM aws_s 3_buckets a1, json_array_elements(a1.policy :: json -> 'Statement') a2 WHERE ( a2 ->> 'Action' = 's3:ListBucket' OR a2 ->> 'Action' = 's3:List*' OR a2 ->> 'Action' = 's3:*' ) AND a2 ->> 'Effect' = 'Allow' AND ( a2 ->> 'Principal' = '*' OR a2 -> 'Principal' ->> 'AWS' = '*' ) AND right(substring(a2 ->> 'Resource', -2), 2) <> '/*' ; output: "S3 bucket object traversal by policy, arn: { {.arn} }" - name: bucket_object_traversal_by_acl metadata: title: S3 bucket object traversal by acl query: |- SELECT DISTINCT(a1.*) FROM aws_s3_buckets a1, aws_s3_bucket_grants a2 WHERE a1.selefra_id = a2.aws_s3_buckets_selefra_id AND a2.grantee :: jsonb ->> 'URI' = '<http://acs.amazonaws.com/groups/global/AllUsers>' AND a2.permission IN ('READ', 'FULL_CONTROL'); output: "S3 bucket object traversal by acl, arn: { {.arn} }" This configuration consists of three modules: "selefra," "providers," and "rules." Under the "selefra" module, configure your PostgreSQL database connection details in the "connection" block. The "providers" module includes the AWS provider and its cache duration. The "rules" module contains the configurations related to the detection rules. The "title" field represents the title of the detection strategy, and the "query" field contains the SQL query used to execute the detection strategy by querying the database for at-risk resources. 

Before starting the detection, configure your AWS credentials using the following command:

aws configure 

Then, run the following command to execute Selefra:

selefra apply Selefra will initiate the detection process, and you will receive results similar to the example below: 

In the results, you can identify the at-risk storage buckets. In addition to the above method, Selefra also integrates the chatGPT feature, allowing you to discover risk points by directly querying Selefra.

Selefra's GPT Feature

Similar to the previous steps, create a new folder and copy the following YAML file into it:

selefra: name: selefra-test connection: type: postgres username: yourusername password: yourpassword host: 127.0.0.1 port: 5432 database: postgres sslmode: disable log_level: info openai_api_key: your_openai_api_key openai_mode: gpt-4 openai_limit: 10 providers: - name: aws source: aws version: v0.1.0 providers: - name: aws provider: aws cache: 7d rules: 

In this configuration, you need to provide your own OpenAI API key and specify whether to use GPT-4 or GPT-

3.5. The "rules" block can be left empty as it will be automatically generated by AI.

Before starting the detection, configure your AWS credentials, and then you can use the GPT feature as follows:

selefra gpt "Query S3 Buckets that allow list objects"
The output will provide you with the discovered risks in your cloud environment using just a simple query.

As shown above, you can easily identify risks in your cloud environment with just a single query, making it very convenient.

Conclusion

Object traversal issues in S3 storage buckets are common and important to address. Through this article, I hope to help you understand and mitigate the object traversal issues in AWS S3 storage. With the help of Selefra, we can make the cloud more secure.