Fraser Scott

icon indicating a website link https://0x10.co icon indicating an email [email protected]

icon location UK

Results 23 comments of Fraser Scott

Create & Publish "Request for Threat Models"

We'll need a few versions.. a short one for twitter and a longer one for email etc.

S3 - Attacker gains access to insecurely configured S3 bucket via brute forcing the bucket name

:100:

S3 - Attacker gains access to insecurely configured S3 bucket via brute forcing the bucket name

The first one is taking advantage of the global namespace and guessing bucket names, the second one would apply I guess if you knew about the bucket, had GetObject but...

S3 - Attacker gains access to insecurely configured S3 bucket via brute forcing the bucket name

I may have accidentally duplicated this with https://github.com/owasp-cloud-security/owasp-cloud-security/pull/108 - please take a look @msaindane and then I can either tweat OCST-1.2.2 or we can perhaps merge the stories together.

Create CODE_OF_CONDUCT.md

Like a general OWASP admin or abuse address?

S3 - Attacker can recover sensitive information from a previous version of a file stored.

Is this because of the use of delete markers? https://docs.aws.amazon.com/AmazonS3/latest/dev/DeleteMarker.html

S3 - Attacker can recover sensitive information from a previous version of a file stored.

This is a good one. I would imagine a lot of people get caught out by this.

S3 - Buckets containing private or proprietary data are accidentally made public

See https://github.com/owasp-cloud-security/owasp-cloud-security/pull/108

S3 - Buckets containing private or proprietary data are accidentally made public

Sort of duplicate to #57

Look at options for blog posts

Doesn't look like it. The main OWASP blog is on blogpost - https://owasp.blogspot.co.uk/ Have you used medium? It seems to be a standard these days. Does it support multiple collaborators?