AWS - CloudFront Post Exploitation

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

CloudFront

For more information check:

AWS - CloudFront Enum

cloudfront:Delete*

An attacker granted cloudfront:Delete* can delete distributions, policies and other critical CDN configuration objects — for example distributions, cache/origin policies, key groups, origin access identities, functions/configs, and related resources. This can cause service disruption, content loss, and removal of configuration or forensic artifacts.

To delete a distribution an attacker could use:

aws cloudfront delete-distribution \
  --id <DISTRIBUTION_ID> \
  --if-match <ETAG>

Man-in-the-Middle

This blog post proposes a couple of different scenarios where a Lambda could be added (or modified if it’s already being used) into a communication through CloudFront with the purpose of stealing user information (like the session cookie) and modifying the response (injecting a malicious JS script).

scenario 1: MitM where CloudFront is configured to access some HTML of a bucket

  • Create the malicious function.
  • Associate it with the CloudFront distribution.
  • Set the event type to “Viewer Response”.

Accessing the response you could steal the users cookie and inject a malicious JS.

scenario 2: MitM where CloudFront is already using a lambda function

  • Modify the code of the lambda function to steal sensitive information

You can check the tf code to recreate this scenarios here.

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks