Scan for misconfigured S3 buckets across S3-compatible APIs!
MIT License
Bot releases are hidden (Show)
Full Changelog: https://github.com/sa7mon/S3Scanner/compare/v3.1.0...v3.1.1
Published by sa7mon about 1 month ago
Test release to verify Github actions fixes. Please ignore.
Published by sa7mon about 1 month ago
Test release to verify Github actions fixes. Please ignore.
Published by sa7mon about 1 month ago
Full Changelog: https://github.com/sa7mon/S3Scanner/compare/v3.0.4...v3.1.0
Published by sa7mon about 1 year ago
Full Changelog: https://github.com/sa7mon/S3Scanner/compare/v3.0.3...v3.0.4
Published by sa7mon about 1 year ago
Full Changelog: https://github.com/sa7mon/S3Scanner/compare/v3.0.2...v3.0.3
Published by sa7mon about 1 year ago
Full Changelog: https://github.com/sa7mon/S3Scanner/compare/v3.0.1...v3.0.2
Published by sa7mon about 1 year ago
Full Changelog: https://github.com/sa7mon/S3Scanner/compare/v3.0.0...v3.0.1
Published by sa7mon about 1 year ago
Announcement available here: https://github.com/sa7mon/S3Scanner/discussions/135
Full Changelog: https://github.com/sa7mon/S3Scanner/compare/2.0.2...v3.0.0
Published by sa7mon almost 3 years ago
Published by sa7mon over 3 years ago
Quick update to 2.0.0 to improve endpoint validation and allow support for GCP. Also I goofed and broke the Pip package, so this will remedy that.
Published by sa7mon over 3 years ago
This is almost a complete re-write of the tool including scanning logic and output and adds a good amount of new functionality. The code is now much cleaner and simpler than before.
Published by sa7mon over 6 years ago
checkBucket()
function was changed to use boto to check for buckets instead of GET'ing the page out on the web. This is better for several reasons:
buckets.txt
file now contains only bucket names instead of bucket:region
checkBucketWithoutCreds
will now issue a maximum of 2 requests to check if a bucket exists. This helps ease the issue of 503's being returned intermittently.getAcl()
to try to get the ACLs associated with found buckets. They're currently only output to the screen.--default-region
argument. The new way of checking if buckets exist doesn't need the bucket's region and neither do any of the other functions. We're region-free now baby--version
argument. Pretty self-explanatory--include-closed
argument. Now that the tool is more self-aware of the permissions on a bucket, it can be hard to determine what makes a bucket "open" or "closed". Disabling for now until I determine a better way to handle it.s3scanner.py
now parses the bucket name out and ignores the regionPublished by sa7mon over 6 years ago
This release adds some really cool functionality and added stability. Thanks to @vysec, there's now a --list
argument to enable saving bucket listings to file. Currently, this takes a long time if there are a lot of files in the bucket - in the near future I'm going to be looking at adding multi-threading/processing to speed the whole process up.
--list
argument was added.
test_setup
was added as a noobish way to do test setup. Probably a better way to do it with pytest.Published by sa7mon over 6 years ago
Mostly bug fixes with minor aesthetic improvements.
sizeCheckTimeout
to set how long to wait for getSize()
to return before timing out. Will probably turn this into an argument later.pytest
to pytest-xdist
to test concurrently when testing locally.test_getBucketSizeTimeout()
test_checkBucketInvalidName()
to watch for #26 regressionsPublished by sa7mon over 6 years ago
There are enough features now to tag an actual release. I'll be using semver for versioning.