aws-cognito-misconfiguration-markers.yaml

id: aws-cognito-misconfiguration-markers

info:
  name: AWS Cognito Misconfiguration Markers
  author: nullenc0de
  severity: high
  description: Detects potential AWS Cognito misconfigurations by searching for sensitive markers in JavaScript files.
  reference: https://www.yassineaboukir.com/talks/NahamConEU2022.pdf
  tags: aws,cognito,misconfiguration,javascript

requests:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - 'identityPoolId'
          - 'cognitoIdentityPoolId'
          - 'userPoolWebClientId'
          - 'userPoolId'
          - 'aws_user_pools_id'
          - 'aws_cognito_identity_pool_id'
        condition: or

      - type: word
        part: body
        words:
          - 'AWSCognitoIdentityProviderService'
          - 'CognitoIdentityCredentials'
          - 'AWS.CognitoIdentityServiceProvider'
          - 'cognitoUser'
        condition: or

    extractors:
      - type: regex
        part: body
        regex:
          - '(us|ap|ca|cn|eu|sa)-[a-z]+-\d:[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}'