A small library to alter AWS API requests; Used for fuzzing research
This tool was used to identify two XSS vulnerabilities in the AWS Console and is based off previous work in silently enumerating API permissions. It is also what almost got me stuck with a $3,000/month bill (thank you to AWS for getting me out of that).
This software is VERY hacky and should be considered alpha-quality at best. It was originally designed with a very different intention and grew from there. If you are intendeding to use it I would advise you to intercept all traffic (https_proxy) with something like Burp Suite so that you can inspect it.
This library is NOT maintained and is provided as is. I realized it was marked as private and didn't see a reason not to make it public.
DO NOT BLINDLY FUZZ EVERY API ACTION. YOU WILL END UP WITH A HEFTY BILL. I DO NOT TAKE RESPONSIBILITY FOR ANY COSTS ASSOCIATED WITH USING THIS SOFTWARE.
There are some examples in this Twitter thread.
- content_type (String)
- noparams (Boolean)
- creds (Credentials object)
- host (String)
- param (dictionary for params)
- protocol (json | ec2 | query | rest-json | rest-xml)