S3Scanner icon indicating copy to clipboard operation
S3Scanner copied to clipboard

Published 20 hours ago verified publisher icon sa7mon

JSON output

Open ansidorov opened this issue 3 years ago • 5 comments

Good afternoon. Thank you very much for a great tool. It would be nice to be able to get a report in json format for the convenience of scan automation. Do you plan to add such functionality?

ansidorov avatar Nov 02 '21 07:11 ansidorov

I've thought about it for a long time - I'm just not sure the best way to handle it. It's possible for the tool to be scanning for a long time and be cancelled so I'm not sure if the whole thing should be wrapped in an array.

The two options would basically be:

[
    { "name": "myBucket", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]},
    { "name": "myBucket2", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]}
]

{ "name": "myBucket", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]}
{ "name": "myBucket2", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]}

Which option do you think would work better

sa7mon avatar Nov 17 '21 02:11 sa7mon

The second log format is more popular with various tools

ansidorov avatar Nov 17 '21 06:11 ansidorov

Don't use the first option as it is vulnerable to JSON Hijacking if used incorrectly

Thanks for a great tool.

On Tue, Nov 16, 2021 at 9:42 PM Dan Salmon @.***> wrote:

I've thought about it for a long time - I'm just not sure the best way to handle it. It's possible for the tool to be scanning for a long time and be cancelled so I'm not sure if the whole thing should be wrapped in an array.

The two options would basically be:

[ { "name": "myBucket", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]}, { "name": "myBucket2", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]} ]

{ "name": "myBucket", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]} { "name": "myBucket2", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]}

Which option do you think would work better

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sa7mon/S3Scanner/issues/119#issuecomment-971122380, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABZEKO3I7JIV5A2PO3Z2FRLUMMJC5ANCNFSM5HFX2G2A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

Savvy95 avatar Nov 17 '21 17:11 Savvy95

Could you elaborate on “JSON hijacking”? I’ve never heard the term before

On Wed, Nov 17, 2021 at 11:21 AM, Savvy95 @.***> wrote:

Don't use the first option as it is vulnerable to JSON Hijacking if used incorrectly

Thanks for a great tool.

On Tue, Nov 16, 2021 at 9:42 PM Dan Salmon @.***> wrote:

I've thought about it for a long time - I'm just not sure the best way to handle it. It's possible for the tool to be scanning for a long time and be cancelled so I'm not sure if the whole thing should be wrapped in an array.

The two options would basically be:

[ { "name": "myBucket", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]}, { "name": "myBucket2", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]} ]

{ "name": "myBucket", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]} { "name": "myBucket2", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]}

Which option do you think would work better

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sa7mon/S3Scanner/issues/119#issuecomment-971122380, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABZEKO3I7JIV5A2PO3Z2FRLUMMJC5ANCNFSM5HFX2G2A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

sa7mon avatar Nov 17 '21 17:11 sa7mon

If JSON is used in a web application, and is vulnerable, an attacker may be able to steal sensitive information from an unsuspecting victim. If the JSON won't be used in a web app, then this issue becomes a moot point. I just thought that since you won't know how people will use the JSON data that you should know.

Here's a link that can demystify it: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/json-hijacking-demystified/

Thanks

On Wed, Nov 17, 2021 at 12:33 PM Dan Salmon @.***> wrote:

Could you elaborate on “JSON hijacking”? I’ve never heard the term before

On Wed, Nov 17, 2021 at 11:21 AM, Savvy95 @.***> wrote:

Don't use the first option as it is vulnerable to JSON Hijacking if used incorrectly

Thanks for a great tool.

On Tue, Nov 16, 2021 at 9:42 PM Dan Salmon @.***> wrote:

I've thought about it for a long time - I'm just not sure the best way to handle it. It's possible for the tool to be scanning for a long time and be cancelled so I'm not sure if the whole thing should be wrapped in an array.

The two options would basically be:

[ { "name": "myBucket", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]}, { "name": "myBucket2", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]} ]

{ "name": "myBucket", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]} { "name": "myBucket2", "exists": true, "auth_users": ["ReadACP"], "all_users": ["Read", "WriteACP"]}

Which option do you think would work better

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <https://github.com/sa7mon/S3Scanner/issues/119#issuecomment-971122380 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/ABZEKO3I7JIV5A2PO3Z2FRLUMMJC5ANCNFSM5HFX2G2A

. Triage notifications on the go with GitHub Mobile for iOS < https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675

or Android < https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub .

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/sa7mon/S3Scanner/issues/119#issuecomment-971802208, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABZEKO4AQY2DQJ4OQSM3W3LUMPRNZANCNFSM5HFX2G2A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

Savvy95 avatar Nov 17 '21 18:11 Savvy95

Thank you for your bug report. I have just merged the pull request for complete re-write of this tool in Go and the new version includes a JSON output option.

sa7mon avatar Jul 29 '23 03:07 sa7mon