Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information about BigQuery check:
Reading the information stored inside the a BigQuery table it might be possible to find sensitive information. To access the info the permission needed is bigquery.tables.get , bigquery.jobs.create and bigquery.tables.getData:
This is another way to access the data. Export it to a cloud storage bucket and the download the files with the information.
To perform this action the following permissions are needed: bigquery.tables.export, bigquery.jobs.create and storage.objects.create.
It might be possible to introduce certain trusted data in a Bigquery table to abuse a vulnerability in some other place. This can be easily done with the permissions bigquery.tables.get , bigquery.tables.updateData and bigquery.jobs.create:
bigquery.datasets.setIamPolicyAn attacker could abuse this privilege to give himself further permissions over a BigQuery dataset:
bigquery.datasets.update, (bigquery.datasets.get)Just this permission allows to update your access over a BigQuery dataset by modifying the ACLs that indicate who can access it:
bigquery.tables.setIamPolicyAn attacker could abuse this privilege to give himself further permissions over a BigQuery table:
bigquery.rowAccessPolicies.update, bigquery.rowAccessPolicies.setIamPolicy, bigquery.tables.getData, bigquery.jobs.createAccording to the docs, with the mention permissions it's possible to update a row policy.
However, using the cli bq you need some more: bigquery.rowAccessPolicies.create, bigquery.tables.get.
It's possible to find the filter ID in the output of the row policies enumeration. Example:
If you have bigquery.rowAccessPolicies.delete instead of bigquery.rowAccessPolicies.update you could also just delete the policy:
Another potential option to bypass row access policies would be to just change the value of the restricted data. If you can only see when term is Cfba, just modify all the records of the table to have term = "Cfba". However this is prevented by bigquery.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
