Security misconfiguration represents one of the most common vulnerabilities in cloud environments. In this short write-up, I’ll demonstrate a misconfiguration in Alibaba Cloud Object Storage Service (OOS) — think of it as equivalent to Amazon S3. This flaw allows arbitrary users to upload files directly into cloud storage, opening the door to abuse scenarios like filling up storage space or overwriting existing data.
If you are familiar with protocols like WebDAV you know that the HTTP PUT method can be dangerous if not configured properly, as it can allow unauthorized file uploads.
The Vulnerability
If during a bug bounty program or a pentest engagement you encounter an OOS endpoint and it returns a 403 Forbidden status, just try sending a PUT request, like the following:
curl -X PUT https://redacted.com/proof-of-concept.json \
-H 'Content-Type: application/json' \
-d '{"id": "test"}'Afterwards, try accessing the file using a basic GET request:
If the file renders, congratulations: you've found an unrestricted file upload vulnerability! But test carefully, as this operation can overwrite legitimate files. Additionally, an attacker could also attempt to overwrite the storage.
