{{#include ../../../../banners/hacktricks-training.md}}
For more information check:
{{#ref}} ../../aws-services/aws-elastic-beanstalk-enum.md {{#endref}}
Note that by default Beanstalk environments have the Metadatav1 disabled.
The format of the Beanstalk web pages is https://<webapp-name>-env.<region>.elasticbeanstalk.com/
Misconfigured security group rules can expose Elastic Beanstalk instances to the public. Overly permissive ingress rules, such as allowing traffic from any IP address (0.0.0.0/0) on sensitive ports, can enable attackers to access the instance.
If an Elastic Beanstalk environment uses a load balancer and the load balancer is configured to be publicly accessible, attackers can send requests directly to the load balancer. While this might not be an issue for web applications intended to be publicly accessible, it could be a problem for private applications or environments.
Elastic Beanstalk applications are often stored in S3 buckets before deployment. If the S3 bucket containing the application is publicly accessible, an attacker could download the application code and search for vulnerabilities or sensitive information.
aws elasticbeanstalk describe-environments --query 'Environments[?OptionSettings[?OptionName==`aws:elbv2:listener:80:defaultProcess` && contains(OptionValue, `redirect`)]].{EnvironmentName:EnvironmentName, ApplicationName:ApplicationName, Status:Status}' --output table{{#include ../../../../banners/hacktricks-training.md}}