Happy New Year 2023 to all my followers 🥳
Hope you are doing well
Today we will discuss about how I Found AWS API Keys and how to Validate them.
Note-1: For Privacy reasons, I am not going to reveal the target domain on which I have found the API keys.
Note-2: This Article is only for demonstration and education purpose.
Let’s Start without wasting any more time.
I started Bug hunting somewhere after the summer in 2022 due to my interest in it.
So, As a beginner, I have searched on Google for the “best browser extensions for bug bounty hunters” due to my curiosity and the less knowledge I have on bug hunting.
I found various results as shown below.
I opened the first article which I got in the above results. I have provided the link for the article below.
It’s one of the best articles I found on Google and they provided all the links for the popular extensions including for both Chrome and Firefox.
So, After going through the article, I have installed all the extensions mentioned there.
In the end of that article, you will find a bonus chrome extension named “Trufflehog”.
Extension Link: https://chrome.google.com/webstore/detail/trufflehog/bafhdnhjnlcdbjcdcnafhdcphhnfnhjc/
Initially, I thought this is a normal extension like any other extension.
Note-3: But when I see back now, I can confidently say that I found various vulnerabilities and other sensitive data like Directory Listing, .git exposure, API keys, Sensitive WordPress directories, Passwords and many others in my bug bounty journey using this Extension.
You don’t need to click on this extension or open any source code to find any sensitive data.
This Extension crawls all the links from the source code of a website we visit to find any sensitive data.
Kudos to the Founder Dylan for this Amazing Extension 🙏
You can read the below articles to know more about this extension
So, Let’s Jump to the main topic
I opened a random target on my browser where this extension is installed.
I got a Pop-up saying that this website contains AWS API keys as shown below.
Most of the time, it will show the exposed key and the path where it is present.
You can also copy the path and leaked key from the Pop-up box,
So, I went to the path and searched for the leaked key where I found the AWS Access key and Secret key as shown below.
It was a shock for me as most of the time both the keys won’t be present on a website in plain text and I was wondering how to use these keys as I am not aware of the process of how to use those keys.
So, I asked one of my friends who told me about this tool called “enumerate-iam” for testing the leaked API keys to validate them.
I have provided the git link of the tool in the below section
So I have tested the leaked keys using the above tool where I only found some basic info as shown below.
Note-4: There is no guarantee that the Leaked keys will be Valid and give more info at all times. I was fortunate to get some basic info which is of no use to increase the impact on the target.
But still, you can see that the exposed API keys are validated and gave some basic info about the AWS account as shown in the above picture.
So, That’s it for today guys
Thank you guys for Reading this Post - Happy Hunting 🐞
If you like this post, don’t forget to give me an upvote or ❤
Credits: To all Bug Bounty Hunters and Authors who developed the tools I used in this article.
Support me: If you like to support me, buy me a cup of coffee ☕
Follow me: @0xKayala | Satya Prakash