TL;DR: Setting up access control of AWS S3 consists of multiple levels each with its own unique risk of misconfiguration. We will go through the specifics of each level and identify the dangerous cases where weak ACLs can create vulnerable configurations impacting the owner of the S3-bucket and/or through third party assets used by a lot of companies. We also show how to do it properly and how to monitor for these sorts of issues.
Our guest blogger and Detectify Crowdsource hacker ak1t4 explains how he discovered and reported a persistent XSS vulnerability on Teamtailor that affected thousands of career sites – including Detectify’s external career site. Teamtailor patched the vulnerability within one day after the issue had been reported.
TL;DR, There used to be a bug in Internet Explorer allowing attackers to force victims to send requests with malformed Host headers. File Descriptor used it to steal GitHub OAuth tokens, and we used it to confuse Heroku and Fastly’s host routing to make them serve our content on their customers’ domains. Fastly and Heroku have since then patched the issue on their side.