Adding new tool request - the DumpsterDiver about cs-suite HOT 7 OPEN

Hi @xep624
I think this is really cool idea.Yea I think we can add this feature to download the buckets which are only public, instead downloading all of them(just an idea).I'm being bit worried about the size of the bucket contents as well, also should we download only text files?.

@jayeshchauhan any thoughts?

from cs-suite.

Hi @shivankar-madaan
Why only public buckets? I rather thought that using cs-suite you can specify the keys to your bucket(s). The DumpsterDiver has an option of removing a file if there's no finding in it. 2 parallel process, when one is for downloading (for better performance it can support multithreading for parallel downloading) and the second one is for verifying a file. If nothing is found then the DumpsterDiver by default will be run with '-r' flag which will remove a file if nothing is found there.
Regarding file types I think there should be only excluded picture/video files. If the tool cannot read a file (e.g. it's encrypted) then it cannot find anything there, so such file would be removed.
What do you think about such idea?

from cs-suite.

Hey @xep624
I was suggesting public buckets only as, only they pose a good amount of risk to be leaked.But very obvious, not a good practice either to store keys in private buckets as well.
Regarding the files being kept or removed on the local system,Initially I was just assuming,that we show an alert on the html report the cs-suite generates(for the file having senstive info), with specifying the bucket and its respective path and I further assumed we would clear off all the files from the local system, after they being analysed (again I just assumed and just an idea).
I agree that we should have video/images removed from the analysis part.

Just gaining more insights on DumpsterDiver, other than AWS keys, does it also detect API keys of other kinds.

Just for the heads up, cs-suite currently just requires read-only iam permissions.So basically we will have to add up one more permission of downloading S3 contents as well.

from cs-suite.

Hi @shivankar-madaan
Sorry for late reply. Regarding removing all files and report findings in the html report - full agree, this is how should it work.
Can DumpsterDiver detect API keys? yes it can it maybe customised only to look for API keys.
Regarding permissions, having read-only permissions to the bucket should be enough and I don't think there is required special permission for downloading files.
If you need any information, support - just please let me know!

from cs-suite.

other than AWS keys

This may have been added recently but

DumpsterDiver is a tool used to analyze big volumes of various file types in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords

Which, at the very least, would mean it would be interesting to use with Azure as well

from cs-suite.

Absolutely agree. It will just require other downloader - the rest would stay the same.

from cs-suite.

yes I agree, we should definitely leverage this. I will get this added, else if anyone wants to work on this Pull Request are highly welcome :)

from cs-suite.