Exposed S3 Credentials of QuadX

What is Secuna?
Secuna is the first and only crowdsourced cybersecurity testing platform in the Philippines helping startups and SMEs by connecting them to vetted security researchers to find and fix security vulnerabilities before they can be exploited by cybercriminals.

Benefits at Secuna:

Hacker Success Team
Secuna is an ever-evolving crowdsourced cybersecurity testing platform managed by an experienced cybersecurity team. They are determined to deliver the platform’s best support.
Hacking Community Support
Hacking is a fun but tough journey, with an inevitable landscape of new challenges & technologies due to rapid digital transformation. Our hacking communities are here to help every cybersecurity professional level up and sharpen their skillsets.
Hacking Security Programs
We work with different organizations from across the globe, giving you an access to different security programs of all types and the ability to hack legally whenever you want.
Not Just About Money
Aside from earning huge bounties on our platform, you can enhance your skills and learn so much more from other hackers.

Without further ado, let’s move to the bug.

Static Analysis

Static analysis, also called static code analysis, is a method of computer program debugging that is done by examining the code without executing the program.

https://searchwindevelopment.techtarget.com/definition/static-analysis

In this Blog Post we will look for Sensitive informations (Passwords, API keys, Storage etc)

Find Javascript Files
There are multiple ways to gather Javascript Files

Download the Javascript File

Make the File Readable

npm install js-beautify

You can Use any Javascript beautifier, Once you install js-beautify run the following command to Beautify the Javascript File.

js-beautify paylink.js > paylink-clean.js

Now, Open your Favorite Text Editor and Start Finding the needle in a haystack.

Check the credentials using aws-cli

pip install awscli

Few Minutes after Submitting, QuadX Immediately Addressed the Issue and the Vulnerability was Fixed Few Hours Later, Giving the Points i needed to Top the Leaderboards at Secuna.

Kudos to QuadX for being Transparent about the remediation timeline, i love the Fast Response ❤️ ❤️ ❤️ and to Secuna thank you so much for building this Awesome Cyber Security Testing Platform. God Speed ❤️

Did you Learn Something? Share this! #sharingiscaring

Bonus:
Jobert Abma created relative-url-extractor a small tool that extracts relative URLs from a file. This can help you get a quick overview of all the relative endpoints in a file.