[FALSE-POSITIVE] ...

[j4schur]

Template IDs or paths

- cloud/aws/s3/s3-bucket-policy-public-access.yaml

Environment

- OS: AWS
- Nuclei: Any version
- Go: Any version

Steps To Reproduce

1. Run nuclei -t code/aws/s3/s3-bucket-policy-public-access.yaml -code -debug
2. If you have a bucket policy that looks like this:
   { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::BUCKET_NAME", "arn:aws:s3:::BUCKET_NAME/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::000000000000:role/ROLE_NAME" }, "Action": [ "s3:DeleteObject*", "s3:GetBucket*", "s3:List*", "s3:PutBucketPolicy" ], "Resource": [ "arn:aws:s3:::BUCKET_NAME", "arn:aws:s3:::BUCKET_NAME/*" ] } ] }
3. You get a false positive result because the template looking for "" and "Effect:: "Allow". But looking at the policy above the "" is on the "Effect": "Deny".

Relevant dumped responses

{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Principal":{"AWS":"*"},"Action":"s3:*","Resource":["arn:aws:s3:::BUCKET_NAME","arn:aws:s3:::BUCKET_NAME/*"],"Condition":{"Bool":{"aws:SecureTransport":"false"}}},{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::0000000000:role/ROLE_NAME"},"Action":["s3:DeleteObject*","s3:GetBucket*","s3:List*","s3:PutBucketPolicy"],"Resource":["arn:aws:s3:::BUCKET_NAME","arn:aws:s3:::BUCKET_NAME/*"]}]}

[s3-bucket-policy-public-access:word-1] [code] [critical]  ["The S3 bucket BUCKET_NAME is publicly accessible via Policy"]
[s3-bucket-policy-public-access:word-2] [code] [critical]  ["The S3 bucket BUCKET_NAME is publicly accessible via Policy"]

Anything else?

No response