The S3 bucket takeover template explicitly negates findings that have amazonaws.com in the URL. This seems like an oversight, but maybe it was done for tuning, I'm unsure.

Nuclei Version:

v3.3.0

Template file:

nuclei-templates/http/takeovers/aws-bucket-takeover.yaml

Command to reproduce:

nuclei -v -t ~/nuclei-templates/http/takeovers/aws-bucket-takeover.yaml -u https://fakebucketaaz1.s3.amazonaws.com

One assumes the above command should yield a positive finding. The bucket doesn't exist (at the time of this submission). Note, this is an obviously overly simplified example, but it yields the behavior one would expect. Nuclei should call this out as a possible dangling bucket. Sadly it does not.

When scanning with Katana, we often find direct S3 endpoints calls, and we were expecting nuclei to call out if the referenced bucket doesn't exist. We can create our own template for our specific use case, but figured it was at least worth mentioning here.

This behavior seems to be introduce somewhere between, 10f54bb and f703666.

Again maybe this was done for turning, but the behavior seems on face value unintuitive.