Scan for misconfigured S3 buckets across S3-compatible APIs!
Full Changelog: https://github.com/sa7mon/S3Scanner/compare/v3.0.3...v3.0.4
Full Changelog: https://github.com/sa7mon/S3Scanner/compare/v3.0.2...v3.0.3
Full Changelog: https://github.com/sa7mon/S3Scanner/compare/v3.0.1...v3.0.2
Full Changelog: https://github.com/sa7mon/S3Scanner/compare/v3.0.0...v3.0.1
Announcement available here: https://github.com/sa7mon/S3Scanner/discussions/135
Full Changelog: https://github.com/sa7mon/S3Scanner/compare/2.0.2...v3.0.0
This is almost a complete re-write of the tool including scanning logic and output and adds a good amount of new functionality. The code is now much cleaner and simpler than before.
checkBucket()
function was changed to use boto to check for buckets instead of GET'ing the page out on the web. This is better for several reasons:
buckets.txt
file now contains only bucket names instead of bucket:region
checkBucketWithoutCreds
will now issue a maximum of 2 requests to check if a bucket exists. This helps ease the issue of 503's being returned intermittently.getAcl()
to try to get the ACLs associated with found buckets. They're currently only output to the screen.--default-region
argument. The new way of checking if buckets exist doesn't need the bucket's region and neither do any of the other functions. We're region-free now baby--version
argument. Pretty self-explanatory--include-closed
argument. Now that the tool is more self-aware of the permissions on a bucket, it can be hard to determine what makes a bucket "open" or "closed". Disabling for now until I determine a better way to handle it.s3scanner.py
now parses the bucket name out and ignores the regionThis release adds some really cool functionality and added stability. Thanks to @vysec, there's now a --list
argument to enable saving bucket listings to file. Currently, this takes a long time if there are a lot of files in the bucket - in the near future I'm going to be looking at adding multi-threading/processing to speed the whole process up.
--list
argument was added.
test_setup
was added as a noobish way to do test setup. Probably a better way to do it with pytest.