Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Amazon Cognito (Mis)Configurations

1e6cfe94614ed96ac769e93f2e0c63f0?s=47 Kavisha Sheth
November 29, 2021

Amazon Cognito (Mis)Configurations

Enterprises are increasingly running their IT and application infrastructure native.
This fundamentally changes the security models and enterprise threatscape. Using Cognito for authentication is quite popular nowadays specially in web and mobile apps.it's been observed that Web and Mobile applications that are using Amazon Cognito or Identity Platform to manage authentication and authorization. However, due to misconfigured Amazon Cognito allows attackers to make most out of this misconfiguration.

In this session, we will talk about

* How AWS Cognito works ?
* What are the attack vectors to look for AWS Cognito mis-configuration?
* How attackers are able to exploit AWS Cognito mis-configurations?
* Some tips for developer folks.

1e6cfe94614ed96ac769e93f2e0c63f0?s=128

Kavisha Sheth

November 29, 2021
Tweet

Transcript

  1. Amazon Cognito (Mis)Configurations Kavisha sheth @sheth_kavisha

  2. • Security Analyst at Appsecco. • Listed as a security

    researcher of the nation by NCIIPC RVDP. • Infosec speaker, who has spoken at national and international conferences - @OWASP, @HackinParis, @Cocon2021, @Defcon(Cloud village) and many more conferences/Security events • Lifelong learner and believe in sharing knowledge
  3. Agenda • Amazon cognito working • What are the possible

    attack vectors • Exploitation • What are the root causes • What can be done
  4. Amazon cognito working https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/

  5. What are the possible attack vectors? • Hardcoded Identity Pool

    ID. • Identity Pool ID present in HTTP response. • Liberal AWS permissions has been assigned. • Misconfigured AWS Cognito Attributes. • AWS cognito misconfigured to allow sign up of new user.
  6. The disclosure of App Client ID, User Pool ID, Identity

    Pool ID, and Region information is not a misconfiguration since these are not confidential values
  7. Hardcoded Identity PoolID is value is disclosed in HTTP response

    Is security concern or not?
  8. Try to request for identityID as an unauthenticate d identities

    Verify if throws error or not
  9. No error , what’s next? Using the IdentityPoolID generate our

    IdentityID From the IdentityID, generate temporary AWS Access Key, Secret Key and Session Token API call to fetch temporary credentials AWSCognitoIdentityService.Get CredentialsIdentity Use botto script Run Python script python get_creds.py "<region_id>" "<identity_pool_id>"
  10. Got Temporary credentials, what's next ?? Check if token are

    working fine aws sts get-caller-identity Emumeration permissions (You can use enumerate-iam tool) Verify if you get any sensitive information or if you get any interesting permission
  11. Error ! Access to unauthenticated identities was disabled. "NotAuthorizedException" Why

    What can be done Try to identify that the application exposed some functionalities unintentionally due to AWS Cognito misconfiguration Run Python script python get_creds.py "<region_id>" "<identity_pool_id>"
  12. ClientID is value disclosed Is security concern or not?

  13. From knowing only ClientID to performing self-registration

  14. From knowing ClientID to performing self-register • AWS CLI command

    aws with the cognito-idp option which allows creating or modifying an application's user pool data • Verify and check mail that the account verification code sent to his e-mail address in order to activate his self-registered account • After getting code at mentioned email id, run following command aws cognito-idp confirm-sign-up --client-id < knownClientid value> --username <emailid of attacker> --password <password> aws cognito-idp confirm-sign-up --client-id <knownClientid value> --username <emailid of attacker> --confirmation-code <code> Using CLI
  15. • Check weather self-registration was successful or not. • If

    self -registration is successful, try to attempt to log in to Victim’s website with the newly registered account. • If able to register with newly created account
  16. Try to look for AWSCognitoIdentityService.ConfirmSignUp keyword and observe that POST

    request is being made Try to alter email and password value in request and see if you are able to perform action successfully. Using Burpsuite
  17. Approach Check if the confirmation email was sent to the

    attacker specified email along with the confirmation code. Check if the user account can be confirmed from the token/code received on the registered email. Check if Application validated a newly created user and allowed to signup.
  18. What went wrong? Allowing users to signup themselves Client id

    value is disclosed
  19. What can be done? Only allow administrators to create users

  20. • Try to run cognito-idp following command: • Observed that

    it’s throws Unauthorized error and that’s confirm that user is not allowed register himself. • self-registration workflow is no longer accessible by anonymous users! aws cognito-idp confirm-sign-up --client-id < Clientid value> --username <emailID of attacker> --password <password> Why ClientID is not really issue?
  21. How with help of misconfigured attribute attacker can allow to

    perform privilege escalation?
  22. IdToken contains claims about the identity of the authenticated user

    such as name, email, and phone_number. AccessToken contains scopes and groups information and it’s used to grant access to authorized resources.
  23. Exploitation scenario • List User Attributes by using command using

    the AWS command-line interface: • Look for custom user attribute. • Custom user attribute is created by an application developer when the built-in standard user attributes are not sufficient or applicable. e.g. adding a boolean isAdmin flag, role to your User object. aws cognito-idp get-user --access-token $token
  24. Custom user attribute Gets the user attributes & metadata for

    a user in a Cognito user pool Command returns an array of name-value pairs that represent user attributes List user attributes
  25. Try to update user attribute value • Run following command

    to update user custom attribute: aws cognito-idp update-user-attributes --access-token <token> --user-attributes Name="custom:isAdmin",Value="true" Verify if command returns a successful update of user's custom:isAdmin attribute, updating it to true !!! If attempt to update the custom:isAdmin attribute would fail with the following error: NotAuthorizedException, Then confirm that attribute is set to read only access.
  26. Try to re-attempt login Check if you are able to

    update user attribute value successfully. Verify if user is able to perform actions as an admin Check if custom user attributes are present List user attributes Approach
  27. What was causing the issue ? Custom user attribute is

    writeable
  28. What can be done ? Update by unchecking custom:isAdmin attribute’s

    write check box and verify that attribute has to read-only access. aws cognito-idp update-user-attributes --access-token <token> --user-attributes Name="custom:isAdmin",Value="true" Observed that it’s not allowing to update value of user attribute and throws error "NotAuthorizedExc eption"
  29. Approach List user attributes See if custom user attribute is

    present Try to update custom user attribute value
  30. Q/A @sheth_kavisha

  31. References • https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html • https://andresriancho.com/wp-content/uploads/2019/06/whitepaper-internet-scale-analysis-of- aws-cognito-security.pdf • https://curlsandbun.medium.com/compromising-s3-buckets-through-misconfigured-aws-cogni to-e23f08b2f475 •

    https://github.com/andresriancho/enumerate-iam • https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
  32. Get in Touch at • Twitter - @sheth_kavisha https://twitter.com/sheth_kavisha •

    LinkedIn - Kavisha-sheth https://in.linkedin.com/in/kavisha-sheth
  33. Kavisha sheth