# Level 1: Buckets of Fun

### <mark style="color:purple;">Task</mark>

This level is *buckets* of fun. See if you can find the first sub-domain.

### <mark style="color:purple;">Resolution</mark>

For this level, we'll asume that the bucket name is the same of domain (flaws.cloud), so we going to navigate to <http://flaws.cloud.s3.amazonaws.com/>

This webpage returns an XML.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfSJbF6EyPC2avYORRdRpxzaYygQkrEOQ8dYqjE2m-MIKKQcrRNlh6hBOK21qTssmPsCnJCDeC5A62hRQ6tr0kSE6xmdV3V75WafxFnjHgIhyyP4vW7wR_Z3yvUoiSoYpZFbMcNQw?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

In the bottom of the XML, there ir a \<Key>\</Key> with a HTML.

If we navigate to this HTML, we obtain the following:

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdlYdx4xPTT4W3QMDKNl6b2yhfrdZMZwpLAkG9LHaaw4lD-QTsFnVyKk4yQgxFFBWV13Yb8SMSB9M9VvC11JopQO5dBczx0Vb3VcGA1Dmro6qUb3_8fOxIlWxYtyPsz8inqTOsi?key=yZvDq_-uDN4B0M8iByv7S1s4" alt=""><figcaption></figcaption></figure>

### <mark style="color:purple;">Lesson Learned</mark>

On AWS you can set up S3 buckets with all sorts of permissions and functionality including using them to host static files. A number of people accidentally open them up with permissions that are too loose. Just like how you shouldn't allow directory listings of web servers, you shouldn't allow bucket listings.

### <mark style="color:purple;">Examples of this problem</mark>

* Directory listing of S3 bucket of Legal Robot ([link](https://hackerone.com/reports/163476)) and Shopify ([link](https://hackerone.com/reports/57505)).
* Read and write permissions to S3 bucket for Shopify again ([link](https://hackerone.com/reports/111643)) and Udemy ([link](https://hackerone.com/reports/131468)). This challenge did not have read and write permissions, as that would destroy the challenge for other players, but it is a common problem.

### <mark style="color:purple;">Avoiding the mistake</mark>

By default, S3 buckets are private and secure when they are created. To allow it to be accessed as a web page, I had turn on "Static Website Hosting" and changed the bucket policy to allow everyone "s3:GetObject" privileges, which is fine if you plan to publicly host the bucket as a web page. But then to introduce the flaw, I changed the permissions to add "Everyone" to have "List" permissions.

<figure><img src="https://657071395-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6TULCIQYFngHxc4snxrs%2Fuploads%2FXZSZPcDOCQkxP6f5Exp3%2Fimage.png?alt=media&#x26;token=59460b4d-b049-42f7-9ad0-4122f042de7e" alt=""><figcaption></figcaption></figure>

"Everyone" means everyone on the Internet. You can also list the files simply by going to <http://flaws.cloud.s3.amazonaws.com/> due to that List permission.