id: aws-s3-bucket-enum

info:
  name: AWS S3 Buckets - Cloud Enumeration
  author: initstring
  severity: info
  description: |
    Searches for open and protected buckets in AWS S3
  metadata:
    verified: true
    max-request: 1
  tags: cloud,enum,cloud-enum,aws

self-contained: true

variables:
  BaseDNS: "s3.amazonaws.com"

http:
  - raw:
      - |
        GET http://{{wordlist}}.{{BaseDNS}} HTTP/1.1
        Host: {{wordlist}}.{{BaseDNS}}

    redirects: false

    attack: batteringram
    threads: 10

    matchers-condition: or
    matchers:
      - type: status
        name: "Open AWS S3 Bucket"
        status:
          - 200

      - type: status
        name: "Protected AWS S3 Bucket"
        status:
          - 403
# digest: 4a0a004730450220582ade4cedc87128700ecd6eabbf8180f003175a526353e667cd067c00860403022100dadcb4551ca3a0cefd88cb78fa0de85020778f6b3c85f7792aee521e3c8adfaf:922c64590222798bb761d5b6d8e72950