fix(aws-bucket-takeover): exclude S3 account regional namespace bucke…#15608
Merged
pussycat0x merged 4 commits intoprojectdiscovery:mainfrom Mar 25, 2026
Merged
Conversation
…ts from scope AWS introduced Account Regional Namespaces for S3 general purpose buckets on 12 March 2026. Bucket names using this feature are suffixed with a per-account, per-region token (-<12-digit-account-id>-<region>-an), making them cryptographically bound to a single AWS account. Unlike global-namespace buckets, these cannot be registered by a different AWS account, so traditional subdomain takeover is not possible. Without this fix, the template would produce false positives against regional namespace buckets. A negative regex matcher has been added on the host part to exclude regional namespace buckets from scope. This only addresses the direct CNAME takeover path (Case 2). The hostname-mismatch variant (Case 3 — where a CNAME points to a regional bucket but the Host header resolves a different unclaimed global bucket) is a distinct attack vector and should be covered in a separate template. References: https://aws.amazon.com/about-aws/whats-new/2026/03/amazon-s3-account-regional-namespaces/ and https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html
Neo - Nuclei Template ReviewNo security issues found Highlights
Hardening Notes
Comment |
![neo-by-projectdiscovery-dev[bot]](https://avatars.githubusercontent.com/in/2878468?s=60&v=4){kind=small}
…ts from scope AWS introduced Account Regional Namespaces for S3 general purpose buckets on 12 March 2026. Bucket names using this feature are suffixed with a per-account, per-region token (-<12-digit-account-id>-<region>-an), making them cryptographically bound to a single AWS account. Unlike global-namespace buckets, these cannot be registered by a different AWS account, so traditional subdomain takeover is not possible. Without this fix, the template would produce false positives against regional namespace buckets. A negative regex matcher has been added on the host part to exclude regional namespace buckets from scope. This only addresses the direct CNAME takeover path (Case 2). The hostname-mismatch variant (Case 3 — where a CNAME points to a regional bucket but the Host header resolves a different unclaimed global bucket) is a distinct attack vector and should be covered in a separate template. References: https://aws.amazon.com/about-aws/whats-new/2026/03/amazon-s3-account-regional-namespaces/ and https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html
venjaku
commented
Mar 16, 2026
Contributor
Author
venjaku
left a comment
venjaku
left a comment
There was a problem hiding this comment.
Updated the brand, please review
Updated regex pattern to - '^[a-z0-9][a-z0-9-]+-[0-9]{12}-[a-z0-9-]+-an\.s3\.[a-z0-9-]+\.amazonaws\.com'
venjaku
commented
Mar 16, 2026
Contributor
Author
venjaku
left a comment
venjaku
left a comment
There was a problem hiding this comment.
made changes to the branch
pussycat0x
approved these changes
Mar 25, 2026
Contributor
|
Hi @venjaku, Thank you for updating this template with the community and for your contribution to this project. Your efforts are greatly appreciated. Cheers! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates the AWS S3 bucket takeover detection template to properly exclude AWS Account
Regional Namespace buckets, which are account-bound and cannot be taken over.
Changes Made
<name>-<account-id>-<region>-an.s3...amazonaws.comTechnical Details
AWS introduced Account Regional Namespace for S3 in March 2026. These buckets:
Related