S3 Object Bad Permissions

I keep seeing something like this during some of my scans and i’ve come to find that you can hijack that file and do what you want with it despite the bucket not having the upload permissions.

I created a quck script to show you how you can do a POC for a bounty program with out altering the files it’s self.

simply save it and then run object_poc.sh bucketname filetoaddpermissionsto [email protected]

This will dump the json out showing you having full write permissions to that object.

Leave a Reply