id: aws-detect

info:
  name: AWS Service - Detect
  author: 6mile
  severity: info
  description: Detect if AWS is being used in the application.
  reference:
    - https://github.com/6mile/cloud-headers
  classification:
    cwe-id: CWE-200
  metadata:
    max-request: 1
  tags: tech,aws,amazon,alb,cloudfront,codebuild,gateway,xray,captcha,dynamodb,kms

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 3

    matchers-condition: or
    matchers:
      - type: word
        name: aws-service
        part: header
        words:
          - 'X-Amz-Content-Sha256:'
          - 'X-Amz-Date:'
          - 'X-Amz-Version-Id:'
          - 'X-Amz-Id-2:'
          - 'X-Amz-Delete-Marker:'
        condition: or
        case-insensitive: true

      - type: word
        name: aws-alb
        part: header
        words:
          - 'Server: awselb/2.0'
          - 'Set-Cookie: AWSALB='
          - 'Set-Cookie: AWSALBCORS='
        condition: or
        case-insensitive: true

      - type: word
        name: aws-cloudfront
        part: header
        words:
          - 'X-Amz-Cf-Id:'
          - 'X-Amz-Cf-Pop:'
        condition: or
        case-insensitive: true

      - type: dsl
        name: aws-cloudfront
        dsl:
          - "contains(tolower(header), 'x-cache: hit from cloudfront')"
          - "contains(tolower(header), 'x-cache: refreshhit from cloudfront')"
          - "contains(tolower(header), 'x-cache: miss from cloudfront')"
          - "contains(tolower(header), 'x-cache: error from cloudfront')"
        condition: or

      - type: word
        name: aws-codebuild
        part: header
        words:
          - "arn: arn:aws:codebuild"
          - 'X-Amz-Meta-Codebuild-Buildarn:'
          - 'X-Amz-Meta-Codebuild-Content-Sha256:'
          - 'X-Amz-Meta-Codebuild-Content-Md5:'
        condition: or
        case-insensitive: true

      - type: word
        name: aws-api-gateway
        part: header
        words:
          - 'X-Amz-Apigw-Id:'
          - 'X-Amzn-Requestid:'
          - 'X-Amzn-Errortype: MissingAuthenticationTokenException'
          - 'X-Amzn-Remapped-Connection:'
          - 'X-Amzn-Remapped-Content-Length:'
          - 'X-Amzn-Remapped-Date:'
        condition: or
        case-insensitive: true

      - type: word
        name: aws-kms
        part: header
        words:
          - 'X-Amz-Server-Side-Encryption:'
        condition: or
        case-insensitive: true

      - type: word
        name: aws-xray
        part: header
        words:
          - 'X-Amzn-Trace-Id:'
        condition: or
        case-insensitive: true

      - type: word
        name: aws-waf-captcha
        part: header
        words:
          - 'X-Amzn-Waf-Action:'
        condition: or
        case-insensitive: true

      - type: word
        name: aws-dynamodb
        part: header
        words:
          - 'X-Amz-Crc32:'
          - 'X-Amz-Target:'
        condition: or
        case-insensitive: true

# digest: 4a0a00473045022100e2ace673ed88fa77d9fec8b7907b9cc284a8bfe6f324f7ee76f704ad3509109302204cb221bb8326582bf6fc0e1244f4f1e6f395e1dfe7f56d1d6c04986a52584d82:922c64590222798bb761d5b6d8e72950