What is OSS?
The Object Storage Service (OSS) is a massive, secure, low-cost, and highly reliable cloud Storage Service suitable for storing files of any type. Flexible expansion of capacity and processing capability, multiple storage types for selection, comprehensive optimization of storage costs.
What is AccessKey?
The AccessKey consists of AccessKeyID and AcessKeySecret. The AccessKeyID is used to identify the user, and the AcessKeySecret is used to verify the user’s key. It is mainly used to invoke cloud service apis programmatically.
Let’s look at a simple test case where an HTML form is retrieved while testing an upload point:
The host name of the request xxxx.aliyuncs.com and the OSSAccessKeyId parameter of the form can basically confirm that the system uses OSS as the upload file storage. Even if malicious script files are uploaded, they cannot be resolved successfully. How can we break the situation? Don’t give up so fast, there is still one more chance.
By reviewing relevant documents, we can see that there are three ways to use forms to upload files to OSS:
OSS product documentation: https://help.aliyun.com/document_detail/31923.htmlCopy the code
- The signing is done in JavaScript code on the client side, and the data is then passed directly to OSS through the form.
- The signing is done on the server side and the data is then sent directly to OSS through the form.
- The signing is done on the server, and the server has set up a post-upload callback, and then sends the data directly to OSS through the form. After the OSS callback is complete, the response result of the application server is returned to the client.
When the JavaScript client is used to sign directly, AccessKeyID and AcessKeySecret will be exposed in the front end page, and there are serious security risks.
By searching through the JS file, you can find the AccessKey written in the JS file.
AccessKey leak, how to exploit the vulnerability?
AccessKey is the key to access ali Cloud API, what kind of risk will be caused.
1. Through the API interface
AccessKey ID and AccessKey Secret are the keys to open the door, and manage and operate the server ECS instance by calling API.
API reference: https://helpcdn.aliyun.com/document_detail/117934.htmlCopy the code
2. Use a third-party management tool
- OSSBrowser
The OSSBrowser is a graphical management tool provided by the OSS. It provides functions similar to Windows Explorer. You can browse, upload, download, and manage files easily using the OSSBrowser.
Download address: http://gosspublic.alicdn.com/oss-browser/1.9.4/oss-browser-win32-x64.zipCopy the code
- Guardian god. Cloud backup
One-click backup data to Ali Cloud OSS, support Bucket management, support mouse drag and drop, support clipboard, support resumable breakpoint, support statistics directory size, support file search.
Download address: https://d.hws.com/free/HwsOSS.zipCopy the code
- Introduces the housekeeper
Multi-cloud management platform, import AccessKey, can reset the server password, take over the server.
The official address: https://yun.cloudbility.com/login.htmlCopy the code
Frequently asked Questions
1. When can the AccessKey of OSS be leaked?
When the JavaScript client is used to sign directly, AccessKeyID and AcessKeySecret will be exposed in the front end page, causing serious security risks.
Github and other platforms leaked, searchable by keyword. \
The AccessKey is obtained by reading the configuration file through other vulnerabilities.Copy the code
2. AccessKey leakage of front-end OSS, how to fix the code?
Security risks are serious if JavaScript client signature direct transmission is adopted. Therefore, you are advised to use server-side signature direct transmission.Copy the code
3. How can I rectify the leak of AccessKey to OSS?
The safest thing to do is to change AccessKey. After all, it can only be created or deleted, enabled or disabled, and doesn't give you a chance to change your password.Copy the code
4. How can we easily determine whether the AccessKey of OSS is stored in the front end when testing?
This can be easily determined by the number of HTTP requests captured during the upload operation. When directly signed by a JavaScript client, the user directly uploads data to OSS in a single request. In direct transmission mode, users need to request the application server to upload the Policy and upload the data to the OSS at least twice.Copy the code
As cloud has become a trend in enterprises, the deployment architecture of cloud platforms will face new risks and challenges in terms of development, security, and operation and maintenance. The rich product matrix on the cloud provides users with various instances of options, but the implementation of technical solutions, security policies and services on the cloud, and precise access control of RAM are all related to security.