$ git blame

Hello and welcome. This will be an ongoing series of short posts where I outline the minor commits I make to security related OSS.

The Tool

The first tool I contributed to was bucketlist, by Michael Henriksen.

Bucketlist is a ruby and PostgreSQL backed Amazon Simple Cloud Storage Service enumerator and crawler. It takes a provided wordlist, and a builtin list of permutations, and uses them to programmically generate and check for open s3 buckets.

The Problem

Bucketlist runs numerous permutations of each wordlist item. Each of these is checked, and additionally all valid buckets are printed out to the console - whether they are publically accessible or private. This results in a huge flood of information to the console, much of which wasn’t always relevant to my use-case.

My contribution

PR#1

My goal was to add optional flags to Bucketlist that would allow the operator to specify whether they want information on private buckets printed, and whether they want the wordlist permuted.

–no-private

For this flag, changes were made to both bin/bucket_finder && bin/bucket_crawler

Code changes:

• Added OptionParser with options[:showprivate]

• Placed console output code for private buckets inside a conditional

–no-perm

This flag was only added to bin/bucket_finder.

Code changes involved:

• Adding options[:permutations] to OptionParser

• Placing the code to yield the permutations inside a conditional