Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Amazon Cognito (Mis)Configurations

Kavisha Sheth
November 29, 2021

Amazon Cognito (Mis)Configurations

Enterprises are increasingly running their IT and application infrastructure native.
This fundamentally changes the security models and enterprise threatscape. Using Cognito for authentication is quite popular nowadays specially in web and mobile apps.it's been observed that Web and Mobile applications that are using Amazon Cognito or Identity Platform to manage authentication and authorization. However, due to misconfigured Amazon Cognito allows attackers to make most out of this misconfiguration.

In this session, we will talk about

* How AWS Cognito works ?
* What are the attack vectors to look for AWS Cognito mis-configuration?
* How attackers are able to exploit AWS Cognito mis-configurations?
* Some tips for developer folks.

Kavisha Sheth

November 29, 2021
Tweet

More Decks by Kavisha Sheth

Other Decks in Technology

Transcript

  1. • Security Analyst at Appsecco. • Listed as a security

    researcher of the nation by NCIIPC RVDP. • Infosec speaker, who has spoken at national and international conferences - @OWASP, @HackinParis, @Cocon2021, @Defcon(Cloud village) and many more conferences/Security events • Lifelong learner and believe in sharing knowledge
  2. Agenda • Amazon cognito working • What are the possible

    attack vectors • Exploitation • What are the root causes • What can be done
  3. What are the possible attack vectors? • Hardcoded Identity Pool

    ID. • Identity Pool ID present in HTTP response. • Liberal AWS permissions has been assigned. • Misconfigured AWS Cognito Attributes. • AWS cognito misconfigured to allow sign up of new user.
  4. The disclosure of App Client ID, User Pool ID, Identity

    Pool ID, and Region information is not a misconfiguration since these are not confidential values
  5. No error , what’s next? Using the IdentityPoolID generate our

    IdentityID From the IdentityID, generate temporary AWS Access Key, Secret Key and Session Token API call to fetch temporary credentials AWSCognitoIdentityService.Get CredentialsIdentity Use botto script Run Python script python get_creds.py "<region_id>" "<identity_pool_id>"
  6. Got Temporary credentials, what's next ?? Check if token are

    working fine aws sts get-caller-identity Emumeration permissions (You can use enumerate-iam tool) Verify if you get any sensitive information or if you get any interesting permission
  7. Error ! Access to unauthenticated identities was disabled. "NotAuthorizedException" Why

    What can be done Try to identify that the application exposed some functionalities unintentionally due to AWS Cognito misconfiguration Run Python script python get_creds.py "<region_id>" "<identity_pool_id>"
  8. From knowing ClientID to performing self-register • AWS CLI command

    aws with the cognito-idp option which allows creating or modifying an application's user pool data • Verify and check mail that the account verification code sent to his e-mail address in order to activate his self-registered account • After getting code at mentioned email id, run following command aws cognito-idp confirm-sign-up --client-id < knownClientid value> --username <emailid of attacker> --password <password> aws cognito-idp confirm-sign-up --client-id <knownClientid value> --username <emailid of attacker> --confirmation-code <code> Using CLI
  9. • Check weather self-registration was successful or not. • If

    self -registration is successful, try to attempt to log in to Victim’s website with the newly registered account. • If able to register with newly created account
  10. Try to look for AWSCognitoIdentityService.ConfirmSignUp keyword and observe that POST

    request is being made Try to alter email and password value in request and see if you are able to perform action successfully. Using Burpsuite
  11. Approach Check if the confirmation email was sent to the

    attacker specified email along with the confirmation code. Check if the user account can be confirmed from the token/code received on the registered email. Check if Application validated a newly created user and allowed to signup.
  12. • Try to run cognito-idp following command: • Observed that

    it’s throws Unauthorized error and that’s confirm that user is not allowed register himself. • self-registration workflow is no longer accessible by anonymous users! aws cognito-idp confirm-sign-up --client-id < Clientid value> --username <emailID of attacker> --password <password> Why ClientID is not really issue?
  13. IdToken contains claims about the identity of the authenticated user

    such as name, email, and phone_number. AccessToken contains scopes and groups information and it’s used to grant access to authorized resources.
  14. Exploitation scenario • List User Attributes by using command using

    the AWS command-line interface: • Look for custom user attribute. • Custom user attribute is created by an application developer when the built-in standard user attributes are not sufficient or applicable. e.g. adding a boolean isAdmin flag, role to your User object. aws cognito-idp get-user --access-token $token
  15. Custom user attribute Gets the user attributes & metadata for

    a user in a Cognito user pool Command returns an array of name-value pairs that represent user attributes List user attributes
  16. Try to update user attribute value • Run following command

    to update user custom attribute: aws cognito-idp update-user-attributes --access-token <token> --user-attributes Name="custom:isAdmin",Value="true" Verify if command returns a successful update of user's custom:isAdmin attribute, updating it to true !!! If attempt to update the custom:isAdmin attribute would fail with the following error: NotAuthorizedException, Then confirm that attribute is set to read only access.
  17. Try to re-attempt login Check if you are able to

    update user attribute value successfully. Verify if user is able to perform actions as an admin Check if custom user attributes are present List user attributes Approach
  18. What can be done ? Update by unchecking custom:isAdmin attribute’s

    write check box and verify that attribute has to read-only access. aws cognito-idp update-user-attributes --access-token <token> --user-attributes Name="custom:isAdmin",Value="true" Observed that it’s not allowing to update value of user attribute and throws error "NotAuthorizedExc eption"
  19. Approach List user attributes See if custom user attribute is

    present Try to update custom user attribute value
  20. Get in Touch at • Twitter - @sheth_kavisha https://twitter.com/sheth_kavisha •

    LinkedIn - Kavisha-sheth https://in.linkedin.com/in/kavisha-sheth