1.8 KiB
AWS - CloudFront Post Exploitation
{{#include ../../../../banners/hacktricks-training.md}}
CloudFront
For more information check:
{{#ref}} ../../aws-services/aws-cloudfront-enum.md {{#endref}}
cloudfront:Delete*
An attacker granted cloudfront:Delete* can delete distributions, policies and other critical CDN configuration objects — for example distributions, cache/origin policies, key groups, origin access identities, functions/configs, and related resources. This can cause service disruption, content loss, and removal of configuration or forensic artifacts.
To delete a distribution an attacker could use:
aws cloudfront delete-distribution \
--id <DISTRIBUTION_ID> \
--if-match <ETAG>
Man-in-the-Middle
This blog post proposes a couple of different scenarios where a Lambda could be added (or modified if it's already being used) into a communication through CloudFront with the purpose of stealing user information (like the session cookie) and modifying the response (injecting a malicious JS script).
scenario 1: MitM where CloudFront is configured to access some HTML of a bucket
- Create the malicious function.
- Associate it with the CloudFront distribution.
- Set the event type to "Viewer Response".
Accessing the response you could steal the users cookie and inject a malicious JS.
scenario 2: MitM where CloudFront is already using a lambda function
- Modify the code of the lambda function to steal sensitive information
You can check the tf code to recreate this scenarios here.
{{#include ../../../../banners/hacktricks-training.md}}