How not to implement AWS S3 signed URLs? $25,000 bounty
?Get a free 2 week trial of Detectify – the sponsor of today’s video? https://www.detectify.com/bbre
This video is an explanation of the attack on AWS S3 implementation on undisclosed bug bounty platform. The vulnerability was found by Frans Rosen and he got $25,000 bounty for it.
? Get $100 in credits for Digital Ocean ?
https://m.do.co/c/cc700f81d215
✎Sign up for Pentesterlab from my referral✎
https://pentesterlab.com/referral/Vtch_7hLg32TqA
Report:
https://labs.detectify.com/2018/08/02/bypassing-exploiting-bucket-upload-policies-signed-urls/
Reporter’s twitter:
https://twitter.com/fransrosen
Follow me on twitter:
https://twitter.com/gregxsunday
Timestamps:
00:00 Intro
00:23 Detectify – the sponsor of the video
00:59 AWS S3
01:55 signed URLs
03:42 attacking signed URLs implementations
Add comment