1 Answer
- Newest
- Most votes
- Most comments
2
Hi,
It is not leaking anything that you don't know as the requester: the SigV4 protocol imposes you to supply the AccessKey in http header x-amz-credential
.
See https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-authentication-HTTPPOST.html for the http frame structure.
So, the error message that you see is just returning you something that you provided as input: it is not divulging anything additional.
To know more about SigV4 process: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
Best,
Didier
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Hi Martiz, you may be indeed rising an interesting question!! Are you in touch with AWS security folks to explore your point? Please, reach me out via LinkedIn at https://www.linkedin.com/in/ddurand/. I'll try to route you to appropriate folks
sure , i really appreciate the help , my linked name is Tarun Joshi
Hey thanks for the clarification , as i said I'm a security researcher and i found a subdomain where i saw this <Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>NAKC65RQYHR95FWQ</RequestId> <HostId>UEgZWwl7PyMQXMV2fgIUqEnpBKuh9lydxmpSkRtpavESWjOACCNh49RpQXRceshWCYzAB11BY2M=</HostId> </Error> but after some content discovery i found the endpoint which i appended to the subdomain juste like this
https://icon.domain.net/... and got this in response <AWSAccessKeyId>XXXXXXXXXXXXXXXXX</AWSAccessKeyId> <StringToSign>AWS4-HMAC-SHA256 20240117T095347Z 20240117/us-east-1/s3/aws4_request 1e0f232543f9e0eccb5b9154102100476546cd64fc29f59d11c61db7cb03a98a</StringToSign> <SignatureProvided>b4c5ff5b5f5dffa6fca1d1157b01a39db471d8fcafb11ce293cbf9b0c7767553</SignatureProvided> <StringToSignBytes>41 57 53 34 1</StringToSignBytes> <CanonicalRequest>GET /assets/no_op%3Bjsessionid%3D host:prod-XXXX-assets.s3.amazonaws.com x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 x-amz-date:20240117T095347Z host;x-amz-content-sha256;x- so i just wanted to ask the aws access key id is real .. right and belongs to the organization ?