Newtowner allows you to quickly spin up a GitHub action, Gitlab CI pipeline, Bitbucket pipeline, AWS API Gateway, or AWS EC2 instance to check a diff between your home connection and the remote connection for one or more URLs.

Mutual TLS? Not when you’re coming from AWS

404 not found? Not when you’re coming from AWS

We scanned 18,206,880 (us-east-1 AWS) hosts from outside of us-east-1 AWS on port 443, using masscan. This returned 2,574,114 hosts with port 443 open. We used zgrab2 to issue HTTP requests to all assets on port 443 (TLS) from outside AWS and inside AWS (us-east-1).

From a single scan, we found around 7000 instances where traffic was different when coming from us-east-1, as compared to outside of us-east-1/AWS. Some of the largest companies in the world have borked their IP whitelisting rules.

One reason this issue is widespread is that vendors and SaaS platforms ask you to broadly whitelist ranges. For example, Gitlab's official advice is to whitelist the entire GCP region that their shared runners are in, and doing so leaves you exposed.

This issue isn't just limited to ingress, but also egress traffic out. So next time you have an SSRF or out of bands based attack, give this technique a go! We plan to present this in more detail in the future. (end thread).