Article by Houston Hopkins
DNS and CloudFront Domain Takeover via Deleted S3 Buckets¶
-
Additional Resources
Discover Dangling Domains that point to your cloud assets to prevent subdomain takeover
-
Tools mentioned in this article
domain-protect: OWASP Domain Protect - prevent subdomain takeover.
Utilizing various techniques for recon and enumeration, an attacker can discover orphaned Cloudfront distributions or DNS Records that are attempting to serve content from an S3 bucket that no longer exists. If an adversary finds one of these, they can create an S3 bucket in their own account and use it to serve malicious content. This content would then be distributed by the victim, and appear to be legitimate by an outside observer.
Note
Previously, calls to a CloudFront distribution backed by an S3 bucket that was deleted would result in a NoSuchBucket error. For example:
<Error>
+ body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);} Article by Houston Hopkins
DNS and CloudFront Domain Takeover via Deleted S3 Buckets¶
-
Additional Resources
Discover Dangling Domains that point to your cloud assets to prevent subdomain takeover
-
Tools mentioned in this article
domain-protect: OWASP Domain Protect - prevent subdomain takeover.
Utilizing various techniques for recon and enumeration, an attacker can discover orphaned Cloudfront distributions or DNS Records that are attempting to serve content from an S3 bucket that no longer exists. If an adversary finds one of these, they can create an S3 bucket in their own account and use it to serve malicious content. This content would then be distributed by the victim, and appear to be legitimate by an outside observer.
Note
Previously, calls to a CloudFront distribution backed by an S3 bucket that was deleted would result in a NoSuchBucket error. For example:
<Error>
<Code>NoSuchBucket</Code>
<Message>The specified bucket does not exist</Message>
<BucketName>hackingthe.cloud</BucketName>
<RequestId>68M9C1KTARF9FBYN</RequestId>
<HostId>RpbdvVU9AXidVVI/1zD+WTwYdVI5YMqQNJShmf6zJlztBVyINq8TtqbzWpThdi/LivlOWRVCPVs=</HostId>
</Error>
-
This made it easy for attackers to identify the bucket name and quickly create their own to serve malicious content. As of late 2023, this behavior has been changed. Now CloudFront distributions pointing to deleted S3 buckets will return a NotFound error, and will not include the bucket name. This is a clear security improvement from AWS and makes it more difficult for an adversary to abuse.
If an adversary can enumerate the deleted bucket name through other means they can perform the attack as normal.
While there are a variety of ways in which this could be harmful, typically an adversary would serve JavaScript content that could be used to impact other parts of the domain. An adversary could use this to potentially steal browser cookies, perform actions as the user, and more.
Tip
Misconfigurations such as these are typically caused by poor hygiene in retiring cloud resources. Always be sure to delete DNS records first to potentially mitigate these issues. There are automated services out there that will automate the discovery of vulnerable domains/CloudFront distributions such as OWASP's domain-protect.