aws-elastic-beanstalk-unauthenticated-enum.md

AWS - Elastic Beanstalk Unauthenticated Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Elastic Beanstalk

For more information check:

{% content-ref url="../../aws-pentesting/aws-services/aws-elastic-beanstalk-enum.md" %} aws-elastic-beanstalk-enum.md {% endcontent-ref %}

Web vulnerability

Note that by default Beanstalk environments have the Metadatav1 disabled.

The format of the Beanstalk web pages is https://<webapp-name>-env.<region>.elasticbeanstalk.com/

Insecure Security Group Rules

Misconfigured security group rules can expose Elastic Beanstalk instances to the public. Overly permissive ingress rules, such as allowing traffic from any IP address (0.0.0.0/0) on sensitive ports, can enable attackers to access the instance.

Publicly Accessible Load Balancer

If an Elastic Beanstalk environment uses a load balancer and the load balancer is configured to be publicly accessible, attackers can send requests directly to the load balancer. While this might not be an issue for web applications intended to be publicly accessible, it could be a problem for private applications or environments.

Publicly Accessible S3 Buckets

Elastic Beanstalk applications are often stored in S3 buckets before deployment. If the S3 bucket containing the application is publicly accessible, an attacker could download the application code and search for vulnerabilities or sensitive information.

Enumerate Public Environments

{% code overflow="wrap" %}

aws elasticbeanstalk describe-environments --query 'Environments[?OptionSettings[?OptionName==`aws:elbv2:listener:80:defaultProcess` && contains(OptionValue, `redirect`)]].{EnvironmentName:EnvironmentName, ApplicationName:ApplicationName, Status:Status}' --output table

{% endcode %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.