Yasin Soliman

Yasin Soliman

I'm Yasin, a security analyst and researcher from the UK. This is my personal blog for sharing technical findings. I also write for Graham Cluley and Tripwire.

Yasin Soliman



Introducing Sandcastle: a script for S3 bucket enumeration

Yasin SolimanYasin Soliman

I've just published Sandcastle – a Python script for AWS S3 bucket enumeration. It's the public version of a personal script formerly known as bucketCrawler.

Sandcastle logo - AWS S3 bucket enumeration

Intended for bug bounty and penetration testing engagements, Sandcastle takes a target's name as the "stem" (e.g. shopify) and iterates through a list of potential name permutations.

[+] Match: shopify-dev --> 403
[+] Match: shopify-pics --> 403
[+] Match: shopify-assets --> 403
[+] Match: shopify-development --> 403
[+] Match: shopify-content --> 403
[+] Match: shopify-ops --> 200

Find out more and download the script from GitHub.

Further reading

Along with the Sandcastle script, I've included a selection of reference points in README.md and below.

What is S3?

From the Amazon documentation, Working with Amazon S3 Buckets:

Amazon S3 [Simple Storage Service] is cloud storage for the Internet. To upload your data (photos, videos, documents etc.), you first create a bucket in one of the AWS Regions. You can then upload any number of objects to the bucket.

In terms of implementation, buckets and objects are resources, and Amazon S3 provides APIs for you to manage them.

Using the AWS CLI

Here are some useful AWS commands which may prove useful when testing targets' S3 buckets.

Learning more

Scott Piper (@0xdabbad00)'s flAWS is a great resource for getting started with "common mistakes and gotchas" involving Amazon Web Services.

Also – take a look at #128088 and #129381 – a pair of incredibly helpful HackerOne reports by @yaworsk!

Edit (9th April): the example Sandcastle output has been updated to reflect changes in version 1.1.0. Furthermore, after a further round of changes, I'm pleased to announce that Sandcastle is now live on PyPi and can be installed via pip!

Yasin Soliman

Yasin Soliman