AWS Service - Detect

ID: aws-detect

Severity: info

Author: 6mile

Tags: tech,aws,amazon,alb,cloudfront,codebuild,gateway,xray,captcha,dynamodb,kms

Description

Detect if AWS is being used in the application.

YAML Source

id: aws-detect

info:
  name: AWS Service - Detect
  author: 6mile
  severity: info
  description: Detect if AWS is being used in the application.
  reference:
    - https://github.com/6mile/cloud-headers
  classification:
    cwe-id: CWE-200
  metadata:
    max-request: 1
  tags: tech,aws,amazon,alb,cloudfront,codebuild,gateway,xray,captcha,dynamodb,kms

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 3

    matchers-condition: or
    matchers:
      - type: word
        name: aws-service
        part: header
        words:
          - 'X-Amz-Content-Sha256:'
          - 'X-Amz-Date:'
          - 'X-Amz-Version-Id:'
          - 'X-Amz-Id-2:'
          - 'X-Amz-Delete-Marker:'
        condition: or
        case-insensitive: true

      - type: word
        name: aws-alb
        part: header
        words:
          - 'Server: awselb/2.0'
          - 'Set-Cookie: AWSALB='
          - 'Set-Cookie: AWSALBCORS='
        condition: or
        case-insensitive: true

      - type: word
        name: aws-cloudfront
        part: header
        words:
          - 'X-Amz-Cf-Id:'
          - 'X-Amz-Cf-Pop:'
        condition: or
        case-insensitive: true

      - type: dsl
        name: aws-cloudfront
        dsl:
          - "contains(tolower(header), 'x-cache: hit from cloudfront')"
          - "contains(tolower(header), 'x-cache: refreshhit from cloudfront')"
          - "contains(tolower(header), 'x-cache: miss from cloudfront')"
          - "contains(tolower(header), 'x-cache: error from cloudfront')"
        condition: or

      - type: word
        name: aws-codebuild
        part: header
        words:
          - "arn: arn:aws:codebuild"
          - 'X-Amz-Meta-Codebuild-Buildarn:'
          - 'X-Amz-Meta-Codebuild-Content-Sha256:'
          - 'X-Amz-Meta-Codebuild-Content-Md5:'
        condition: or
        case-insensitive: true

      - type: word
        name: aws-api-gateway
        part: header
        words:
          - 'X-Amz-Apigw-Id:'
          - 'X-Amzn-Requestid:'
          - 'X-Amzn-Errortype: MissingAuthenticationTokenException'
          - 'X-Amzn-Remapped-Connection:'
          - 'X-Amzn-Remapped-Content-Length:'
          - 'X-Amzn-Remapped-Date:'
        condition: or
        case-insensitive: true

      - type: word
        name: aws-kms
        part: header
        words:
          - 'X-Amz-Server-Side-Encryption:'
        condition: or
        case-insensitive: true

      - type: word
        name: aws-xray
        part: header
        words:
          - 'X-Amzn-Trace-Id:'
        condition: or
        case-insensitive: true

      - type: word
        name: aws-waf-captcha
        part: header
        words:
          - 'X-Amzn-Waf-Action:'
        condition: or
        case-insensitive: true

      - type: word
        name: aws-dynamodb
        part: header
        words:
          - 'X-Amz-Crc32:'
          - 'X-Amz-Target:'
        condition: or
        case-insensitive: true
# digest: 490a0046304402205828c545f1c2ef21362b46fbe9c4e95f2bb562c7487e72c25a8bf53dd02efc8302206fcdf8749d14e13bdcfde3a60c507a6315e51dbac402f0f824a198b7426e5543:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/technologies/aws/aws-detect.yaml"

View on Github