Skip to content

Latest commit

 

History

History
45 lines (41 loc) · 3.1 KB

cloud-methodology.md

File metadata and controls

45 lines (41 loc) · 3.1 KB

My Full Bug Bounty Hunting Methodology - Cloud

GOAL: Find misconfigurations in public cloud infrastructure deployed by the target that exposes data

  • Targets Flaws in a Cloud Service Used by the Application
  • Examples:
    • Misconfigurations in Infrastructure Hosted By Cloud
    • Application Code Leverages Cloud Service

Enumerate Cloud Infrastructure and Attack Surface

  • Identify Cloud resources belonging to your target
    • Multi Cloud OSINT Search - Cloud_Enum
    • Resource identification by DNS records
      • Fire_cloud standalone tool that reviews DNS records of subdomains for AWS resources
        • Can be adapted to other cloud providers very easily
      • Note that other cloud resources could be searched for and that some times these resources are hidden behind subdomains that are pointing them via CNAME registry.
        • Look for CNAME's pointing to ['amazonaws.com', 'digitaloceanspaces.com', 'windows.net', 'storage.googleapis.com', 'aliyuncs.com']
          • Not an exhaustive list
    • AADInternals OSINT to potentially identify new domains
      • In a powershell prompt:
        • import-module AADInternals
        • Invoke-AADIntReconAsOutsider -Domain "{target-website.com}" | format-table
  • Scraping web pages for cloud resources Cloud Scraper
  • OSINT Search for Secrets
  • Nuclei Cloud Enum Templates

Infrastructure Misconfig

  • Review the services you've discovered and research most common misconfigurations of those services. Most commonly, you're looking for services that are left public or over permissioned to internet facing users.

App Code -> Cloud Service

  • Review HTTP traffic of the application as you're using it. Look for HTTP requests to cloud resources and try to determine how the resource is being used in the code.
  • Research ways these can be implemented in an insecure way