Links

AWS - Elastic Beanstalk Unauthenticated Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

Elastic Beanstalk

For more information check:

Web vulnerability

Note that by default Beanstalk environments have the Metadatav1 disabled.
The format of the Beanstalk web pages is https://<webapp-name>-env.<region>.elasticbeanstalk.com/

Insecure Security Group Rules

Misconfigured security group rules can expose Elastic Beanstalk instances to the public. Overly permissive ingress rules, such as allowing traffic from any IP address (0.0.0.0/0) on sensitive ports, can enable attackers to access the instance.

Publicly Accessible Load Balancer

If an Elastic Beanstalk environment uses a load balancer and the load balancer is configured to be publicly accessible, attackers can send requests directly to the load balancer. While this might not be an issue for web applications intended to be publicly accessible, it could be a problem for private applications or environments.

Publicly Accessible S3 Buckets

Elastic Beanstalk applications are often stored in S3 buckets before deployment. If the S3 bucket containing the application is publicly accessible, an attacker could download the application code and search for vulnerabilities or sensitive information.

Enumerate Public Environments

aws elasticbeanstalk describe-environments --query 'Environments[?OptionSettings[?OptionName==`aws:elbv2:listener:80:defaultProcess` && contains(OptionValue, `redirect`)]].{EnvironmentName:EnvironmentName, ApplicationName:ApplicationName, Status:Status}' --output table
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: