Pentest Files: What Error Messages And Cloud Access Keys
Blog Home
>
Pentesting

Pentest Files: Error Messages And Cloud Access Keys

Unveiling the risks of exposing AWS (amazon web services) keys, this article shares a real example from a recent pen test conducted by our expert testers.

Conor O'Neill
Conor O'Neill
Co-Founder & CEO
April 8, 2022

Welcome to our Pentest Files blog series.

Each blog post will present an interesting or dangerous finding one of our testers has identified in an actual recent pen-test, so you can see the kinds of cool things our pen-testers get up to, and also to help you take steps to prevent similar vulnerabilities in your own assets.

These findings are taken from real reports, anonymised, and published with kind permission from our clients.

Issue discovered: The application was found to disclose sensitive service ‘key’ information in a verbose error.

Introduction

These ‘information disclosure in error messages’ issues are as old as pentesting itself, are usually pretty boring, and typically rated as low severity.

However, Cloud hosting has now become the norm, and our testers pay a lot more attention to error messages than in the past, because in a lot of cases these error messages disclose AWS tokens!

Read on the for full (anonymised) details of the issue as our tester found it.

What is this?

The application was found to disclose sensitive service 'key' information in a verbose error.

What is the business risk?

This would give an unauthenticated attacker access to key services such as AWS.

How can I fix it?

Disable and do not leak sensitive key information in verbose error messages.

Technical Details

Whilst browsing to the following URL (unauthenticated); https://acme-company.com/img/grad/logo-black-new.svg A verbose error was encountered.

Although this verbose error obscured some sensitive information the following was still leaked;

  • AWS access and secret key (giving CLI access to affected AWS account).
  • GPG_KEYS
  • STRIPE_WEBHOOK_SECRET
  • FETCHIFY_KEY

For example accessing the AWS account using the AWS access and secret key ; aws sts get-caller-identity

{
   "UserId": "AIADFJSFDIJSFISMDKMSDM",
   "Account": "39123456789",
   "Arn": "arn:aws:iam::39123456789:user/client-staging"
}

Recommendation

Remove this secret material from application responses. This can typically be conducted by setting the Laravel APP_DEBUG value to off. We also recommend to consider these credentials compromised, rotate them immediately and conduct an incident response investigation to determine whether there is evidence of this credential material being accessed previously.

Why not get a quote or contact us to set up a pentest online.

More recommended articles

Understanding Pentest Vs Vulnerability Scanning: A Guide
March 25, 2021
Pentest Files: Admin Account Takeover via Password Reset
May 18, 2022
Pentest Files: Docker Breakout - taking precautions?
June 23, 2022
Protect
Scan
Radar
Pricing
Penetration Test
Overview
External Infrastructure Testing
Physical Penetration Testing
Web Application
Internal Infrastructure Testing
Mobile Application
Phishing Simulation
Cloud Security Testing
Social Engineering
Resources
About
Blog
Contact
Careers

© 2025 ONSECURITY TECHNOLOGY LIMITED (company registered in England and Wales. Registered number: 14184026 Registered office: 1 Victoria Street, Bristol, England, BS1 6AA). All rights reserved.

Terms and Conditions
Privacy