This Burp Suite extension can identify and test S3 buckets as well as Google Storage buckets and Azure Storage containers for common misconfiguration issues using the boto/boto3 SDK library.
You can install this extension directly from the BApp Store or manually by cloning this repo and following these steps:
- Open the Burp Suite Extender tab.
- Open the "Options" subtab.
- Set the "Folder for loading modules" setting to the pathname of the "BappModules" folder.
- Open the "Extensions" subtab.
- Click "Add" and set "Extension type" to "Python".
- Set "Extension file (.py)" to the pathname of the "main.py" file and click Next.
The settings tab provides the following settings:
Below is a description of each:
Setting | Description | Required |
---|---|---|
AWS Access Key | Your AWS account access key ID | True |
AWS Secret Key | Your AWS account secret key | True |
AWS Session Key | A temporary session token | False |
GS Access Key | Your Google account access key ID | True |
GS Secret Key | Your Google account secret key | True |
Wordlist Filepath | A filepath for a wordlist of filenames | False |
Passive Mode | Perform passive checks only | N/A |
SSL Verification | Enable/disable SSL verification | N/A |
Notes:
-
AWS keys can be obtained from your AWS Management Console. For Google Cloud, see the documentation.
-
When SSL verification is enabled, buckets with a dot in their name will not be thoroughly tested due to SSL verification errors in boto (see: /boto/boto/issues/2836). You can either disable SSL Verification to test these (not recommended) or use this command-line script to test such buckets (/VirtueSecurity/aws-extender-cli).