Pentest Files: Error Messages And Cloud Access Keys
Blog Home
>

Pentest Files: Error Messages And Cloud Access Keys

Revealing AWS keys is a big no no, here's an example of what one of our testers found in a recent penetration test.

Conor O'Neill
Conor O'Neill
Founder & Chief Product Officer
April 08, 2022

Welcome to our Pentest Files blog series.

Each blog post will present an interesting or dangerous finding one of our testers has identified in an actual recent pen-test, so you can see the kinds of cool things our pen-testers get up to, and also to help you take steps to prevent similar vulnerabilities in your own assets.

These findings are taken from real reports, anonymised, and published with kind permission from our clients.

Issue discovered: The application was found to disclose sensitive service ‘key’ information in a verbose error.

Introduction

These ‘information disclosure in error messages’ issues are as old as pentesting itself, are usually pretty boring, and typically rated as low severity.

However, Cloud hosting has now become the norm, and our testers pay a lot more attention to error messages than in the past, because in a lot of cases these error messages disclose AWS tokens!

Read on the for full (anonymised) details of the issue as our tester found it.

What is this?

The application was found to disclose sensitive service 'key' information in a verbose error.

What is the business risk?

This would give an unauthenticated attacker access to key services such as AWS.

How can I fix it?

Disable and do not leak sensitive key information in verbose error messages.

Technical Details

Whilst browsing to the following URL (unauthenticated); https://acme-company.com/img/grad/logo-black-new.svg' A verbose error was encountered.

Although this verbose error obscured some sensitive information the following was still leaked;

  • AWS access and secret key (giving CLI access to affected AWS account).
  • GPG_KEYS
  • STRIPE_WEBHOOK_SECRET
  • FETCHIFY_KEY

For example accessing the AWS account using the AWS access and secret key ; aws sts get-caller-identity

{
   "UserId": "AIADFJSFDIJSFISMDKMSDM",
   "Account": "39123456789",
   "Arn": "arn:aws:iam::39123456789:user/client-staging"
}

Recommendation

Remove this secret material from application responses. This can typically be conducted by setting the Laravel APP_DEBUG value to off. We also recommend to consider these credentials compromised, rotate them immediately and conduct an incident response investigation to determine whether there is evidence of this credential material being accessed previously.

Want to check for yourself if your application is free from this kind of vulnerability? Why not get a quote or contact us to set up a pentest.

More recommended articles

RPMG chose OnSecurity as their offensive online cybersecurity partner and hasn't looked back since.
Typosquatting and it’s impact on businesses
Cloud Native Security
Protect
Scan
Radar
Pricing
Penetration Test
Overview
External Infrastructure Testing
Physical Penetration Testing
Web Application
Internal Infrastructure Testing
Mobile Application
Phishing Simulation
Cloud Security Testing
Social Engineering
Resources
About
Blog
Contact

© 2023 ONSECURITY TECHNOLOGY LIMITED (company registered in England and Wales. Registered number: 14184026 Registered office: Floor T, Castlemead, Lower Castle Street, Bristol, England, BS1 3AG). All rights reserved.

Terms and Conditions
Privacy