Hello,This is me!

Vaibhav Koli

Information Security Researcher Penetration Tester HTB Player Security Enthusiast CTF Player

About me

Hello

I'mVaibhav Koli

Information Security Researcher

I am a pen-tester, researcher and developer, so if you need something tested, researched or developed please get in touch.

I am a security enthusiast in the areas of web-applications, network engineering and mobile applications. Also, work as an individual web-application security engineer with broad experience in all aspects of security management and implementation.

Infosec specialist whose Certifications includes CISEH (Certified Information Security and Ethical Hacking), CPTE (Certified Penetration Testing Expert), ICSI:CNSS (Certified Network Security Specialist) and ISO 27001:2013 LA designations; and detailed knowledge of security tools, technologies and best practices. Five years of experience in the creation and deployment of solutions protecting networks, systems and information assets for diverse companies and organizations.

As well as the technical hands-on work I also enjoy teaching and have ran a number of courses for beginners who are getting their start in security.

experience

Accenture

September 2021- Present

Working with Accenture as a Security Delivery Senior Analyst.

  • Working on SAST project for One of the biggest food chain brand.
  • Performing authentication over vulnerability scans over both Windows and Linux devices.
  • Performing Sourcecode review over Java, iOS, Python and Android using Checkmarx tool.
  • Atos

    January 2020- September 2021

    Worked with Atos as a Associate Consultant.

  • Core member of COE team (Center of excellence).
  • Performed penetration test on web, mobile, thick client, APIs and web services applications.
  • Performed Red Team assessment for financial sector organization.
  • Lead the application security testing team for financial sector client
  • qSEAp InfoTech Pvt. Ltd.

    December 2017-January 2020

    Worked with qSEAp InfoTech Pvt. Ltd. as a Information security Analyst.

  • Independently conducted and managed the security assessments of various applications like net banking, payment gateway, e- commerce, etc. for clients from sectors like banking, insurance, retail, Government etc.
  • Successfully executed projects for various clients as part of PCI, HIPA compliance audit.
  • Pristine infosolution

    February 2017-December 2017

    Worked with Pristine infosolution as a Information security trainer.

  • Provide Ethical Hacking and Information Security Training to corporate peoples.
  • Conducted Information security awareness conferences in many colleges.
  • Skills

    515

    Number of projects

    46

    Month of industry experience

    47

    HTB Machine Owned

    2

    CVE Owned

    Blogs

    Exploiting poorly configured amazon S3 bucket

    Many of our customers run at least part of their infrastructure in public cloud environments, like Amazon Web Services (AWS), Google Cloud, or Microsoft Azure. And keeping in mind that there are a lot of advantages of utilizing the cloud, there are also unique security concerns that organizations must be aware of.
    One of the biggest challenges we see with cloud security is that people are unpredictable and prone to, well, being human. So we often see security incidents happen that are simply errors made by well-intending employees. While they mean well, these errors can (and do) inadvertently put their organization at risk.
    One of the most common errors that’s been popping up in the news and which we’ve started to see here at Expel is when users accidentally make Amazon S3 buckets public.
    What’s Amazon S3, why do these breaches happen and how can you protect your own org from making this mistake? We’re laying out all the details for you below.

    What is Amazon S3?

    Amazon S3 (“S3” stands for “Simple Storage Service”) buckets are basically A Dropbox for IT and Tech teams. They can be used to store any amount of data like images, videos, websites, backups, new application builds, or really anything you want. You can even host a website using Amazon S3, and store all the elements on said website in a bucket.
    Buckets are containers for objects. You can have one or more buckets. For each bucket, you can adjust the access permissions policies to it (who can create, delete, and list objects in the bucket), view access logs for it and its objects, and choose the geographical region where Amazon S3 will store the bucket and its contents.

    Why do Amazon S3 buckets regularly end up open?

    S3 buckets become public when any permissions are granted to the predefined groups “AuthenticatedUsers” or “AllUsers.” The “AuthenticatedUsers” group represents all AWS accounts, meaning anyone with an AWS account can access that S3 bucket. The “AllUsers” group consists of anyone in the world.
    It’s easy to see how this can cause confusion especially if you’re new to the cloud. Developers and IT admins have grown up in an (on-premise) world where groups with “users” in the name are limited to only the employees in their organization. So when the guy in IT accidentally gives “AllUsers” access to the company directory and accidentally opens it to anyone with internet, it doesn’t mean he’s a dummy. In another way but then forgets to change the settings back. So, There are lots of ways that S3 buckets can become public.

    How to find S3 buckets of a target application?

    The S3 bucket name is not a secret, and there are many ways to figure it out. I will try to share all possible ways to find the bucket of the target application.

    Method # 1:

    There are many online tools are available on the internet to find S3 buckets of a website. Some of them are listed below.

    • Lazy S3
    • Bucket_finder
    • AWS Cred Scanner
    • Mass3
    • S3Scanner
    • S3BucketFinder

    Mostly all tools are command-line tools. You can download them from GitHub.

    Method # 2:

    Look at the server details from the analyzer (Browser Extension) or via the response of any request for the target application. You can find whether the application is using Amazon S3 to store data or not.

    Method # 3:

    Right-click on the application and open “View page source”. Find the URL like

    • xyz.s3.amazonaws.com/
    • s3.amazonaws.com/xyz
    • xyz.s3.eu-west-1.amazonaws.com
    • s3.eu-west-1.amazonaws.com/xyz

    Note: XYZ represents the bucket name and EU-west-1 is the region. The region can be varied.

    Method # 4:

    Use the BURP Suite and spider the target web application. BURP Spider plugin is one of my favorite plugins it 100% extracts the Amazon bucket of the target application.
    These are some basic techniques to find the application using Amazon S3 or not.

    How to exploit misconfigured Amazon buckets with AWS CLI?

    To check the permissions of the bucket we need to download and install the “AwsCli” tool from the Amazon web service’s website. https://s3.amazonaws.com/aws-cli/AWSCLI64PY3.msi 
    After a successful installation, we need to configure it with our AWS keys.

    How to list the objects of a misconfigured Amazon S3 Bucket?

    To Listing all objects and folders in a bucket enter the following command.
    aws s3 ls s3://bucket-name


    How to upload an object to a misconfigured Amazon bucket? 

    aws s3 cp file.txt s3://bucket-name
    aws s3 mv file.txt s3://bucket-name


    How to download an object from a misconfigured Amazon bucket?

    aws s3 cp s3://bucket-name/file-name ./
    aws s3 mv s3://bucket-name/file-name ./


    How to delete an object from a misconfigured Amazon bucket?

    aws s3 rm s3://bucket-name/file-name



    What can happen?

    An attacker can control assets on high-profile websites, meaning he could do anything from overwriting files, uploading vulnerable files, downloading Intellectual property, and can delete sensitive data.

    Since so many companies store sensitive data in S3 buckets, any leak could be devastating. You might remember the Million Dollar Instagram Bug that allowed security researcher Wes Wineberg to access every single image and account on Instagram. This was only possible because he had gained access to Instagram’s S3 bucket, where the company stored everything from source code to images.

    How to fix it?

    There are quite a few recommended actions in order to protect your sensitive information in your S3 buckets, in order to minimize your risk of exposed data either from account breaches or losses.

    Restricting Access
    Keep track of who has been granted access to S3 buckets and objects, and the level of privileges that have been granted. Although access to S3 buckets is private by default, write access to everyone automatically grants delete access to S3 objects. Therefore, access to S3 buckets should be restricted to a small number of trusted individuals. Similarly, granting read access to everyone allows all users to read the data saved in S3 buckets. It is important to know that you can use access control lists for granular permissions and enable multi-factor authentication before an object is deleted.

    Audits and Monitoring
    Internal transfers and new hires are common in any team. Regular audits should be performed to ensure that rights have been modified according to the role of the individual. Additionally, logging should be enabled for S3 buckets so that actions performed can be referenced in case of an issue.

    Data Backup
    Initiate a backup of your critical S3 buckets so that data can be restored from the backup copy in case of unexpected modifications or breaches. N2WS offers a free version of CPM that helps with backup, recovery, and disaster recovery of Amazon EC2 instances.

    testimonial

    Vaibhav is a very hardworking and technically competent champ. He is an asset for any organization. We worked together for around 2 years and his project deliveries were always appreciated by the clients. I would definitely look forward to work with him again.

    Praveen Singh

    CTO of Qseap Infotech Pvt. Ltd.

    Vaibhav is the one of the people who is the most dependable team member I have had. Very enthusiastic and self motivated. His technical skills are top-notch. He is a great team player. One of the peculiar trait about him is that he knows his weakness and works on it. Makes sure that he overcomes and conquers it. His approach of clearing everyone's doubt is different. Rather than spoon feeding, he would show the path that would clear the doubt. By this, the person would learn the approach as well as be self-satisfied. Always up for new challenges and never says a no for anything which impresses the leads. It is always good to have Vaibhav in the team.

    Abhishek Chandan

    Senior Manager at Atos,

    Vaibhav Koli
    Hack The Box
    India

    SEND ME A MESSAGE

    Name

    Email *

    Message *