aws-extender: BurpSuite extension to identify and test S3 buckets/ Google Storage

AWS Extender

AWS Extender is a BurpSuite extension to identify and test S3 buckets as well as Google Storage buckets and Azure Storage containers for common misconfiguration issues using the boto/boto3 SDK library.

Getting Started

For general instructions on how to load BurpSuite extensions, please visit this URL.

Installing Dependencies

Both of boto and boto3 are required. You can install them using pip:

$ git clone https://github.com/VirtueSecurity/aws-extender.git
$ cd aws-extender
$ pip install -r requirements.txt

Custom Environment Settings

  1. Open the BurpSuite Extender tab.
  2. Click “Options”.
  3. Set the “Folder for loading modules” setting to the path of your Python installation’s site-packages directory.

Extension Settings

The settings tab provides the following settings:

Settings Tab

S3 Bucket Misconfiguration

S3 Signed URL Excessive Expiration Time

 

Below is a description of each:

Setting Description Required
AWS Access Key Your AWS account access key ID True
AWS Secret Key Your AWS account secret key True
AWS Session Key A temporary session token False
GS Access Key Your Google account access key ID True
GS Secret Key Your Google account secret key True
Wordlist Filepath A filepath to a list of filenames False
Passive Mode Perform passive checks only N/A

Notes:

  • AWS keys can be obtained from your AWS Management Console. For Google Cloud, see the documentation.
  • The extension will still provide minimal functionality (e.g., identifying buckets) even if none of the above requirements are satisfied.

Source: https://github.com/VirtueSecurity/aws-extender