-
Notifications
You must be signed in to change notification settings - Fork 254
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/foorbar the URL of S3 to make it properly detect #72
base: master
Are you sure you want to change the base?
Conversation
Thanks for this @nrathaus! Must be new behavior, I wonder when that was implemented. Does your fix still support the bucket listings when an open bucket is found? |
@initstring - it seems to be a rolling change - it now doesn't work when you try I don't know what is going on... I can't find at the moment a way to detect S3 :( |
I think there is some sort of rate limit / blocking - I have switch on and off the VPN and now it seems that S3 detection with the When you hit the rate limit, everything returns non-existing - even completely valid URLs |
Thanks for your work to troubleshoot this, @nrathaus! If you (or anyone else reading) find a solution, please check back! Unfortunately, I probably won't have time to troubleshoot this myself soon. Sorry about that, things are just pretty busy at work/home right now. |
Can we put increased timer on the check for AWS buckets, to bypass the rate limiting, do we know which rate limits AWS starts blocking the checks? |
@initstring , do we have the changes from @nrathaus merged into the main yet? |
@Zoudo The fix isn't 100% accurate, it works sometimes - as there is some sort of rate limit - once you hit it, everything will return The fix I believe is best at the moment, is to do False Positive and False Negative testing every few requests, but that would require some sort of valid S3 to be used - not sure if this is |
I did some investigation with my AWS setup, from what I see, when |
I think current design implementation of S3, prevent detection of unknown S3 via keywords - at least this what I think |
Thanks @nrathaus , does this mean if the result is empty, it means there are no buckets with public access. It means they are protected. i wonder if this changes if we authenticate before the scans with key words. |
At the moment even valid s3 return as non existing when you hit the rate - which appears to me to happen within 2-3 requests to none existing buckets with no paths And a bit later to existing buckets with an invalid path The only way to know this happened is to hold a valid s3 bucket and path at hand and see when it stops working As it stands at the moment I think this feature is no longer feasible unless something changes or someone finds a new way |
Currently S3 detection is not working due to missing path in the URL
This patch adds a fake path so that S3 detection works