Amazon Cognito (Mis)Configurations Kavisha sheth @sheth_kavisha

● Security Analyst at Appsecco. ● Listed as a security researcher of the nation by NCIIPC RVDP. ● Infosec speaker, who has spoken at national and international conferences - @OWASP, @HackinParis, @Cocon2021, @Defcon(Cloud village) and many more conferences/Security events ● Lifelong learner and believe in sharing knowledge

Agenda ● Amazon cognito working ● What are the possible attack vectors ● Exploitation ● What are the root causes ● What can be done

Amazon cognito working https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/

What are the possible attack vectors? ● Hardcoded Identity Pool ID. ● Identity Pool ID present in HTTP response. ● Liberal AWS permissions has been assigned. ● Misconfigured AWS Cognito Attributes. ● AWS cognito misconfigured to allow sign up of new user.

The disclosure of App Client ID, User Pool ID, Identity Pool ID, and Region information is not a misconfiguration since these are not confidential values

Hardcoded Identity PoolID is value is disclosed in HTTP response Is security concern or not?

Try to request for identityID as an unauthenticate d identities Verify if throws error or not

No error , what’s next? Using the IdentityPoolID generate our IdentityID From the IdentityID, generate temporary AWS Access Key, Secret Key and Session Token API call to fetch temporary credentials AWSCognitoIdentityService.Get CredentialsIdentity Use botto script Run Python script python get_creds.py "" ""

Got Temporary credentials, what's next ?? Check if token are working fine aws sts get-caller-identity Emumeration permissions (You can use enumerate-iam tool) Verify if you get any sensitive information or if you get any interesting permission

Error ! Access to unauthenticated identities was disabled. "NotAuthorizedException" Why What can be done Try to identify that the application exposed some functionalities unintentionally due to AWS Cognito misconfiguration Run Python script python get_creds.py "" ""

ClientID is value disclosed Is security concern or not?

From knowing only ClientID to performing self-registration

From knowing ClientID to performing self-register ● AWS CLI command aws with the cognito-idp option which allows creating or modifying an application's user pool data ● Verify and check mail that the account verification code sent to his e-mail address in order to activate his self-registered account ● After getting code at mentioned email id, run following command aws cognito-idp confirm-sign-up --client-id < knownClientid value> --username --password aws cognito-idp confirm-sign-up --client-id --username --confirmation-code Using CLI

● Check weather self-registration was successful or not. ● If self -registration is successful, try to attempt to log in to Victim’s website with the newly registered account. ● If able to register with newly created account

Try to look for AWSCognitoIdentityService.ConfirmSignUp keyword and observe that POST request is being made Try to alter email and password value in request and see if you are able to perform action successfully. Using Burpsuite

Approach Check if the confirmation email was sent to the attacker specified email along with the confirmation code. Check if the user account can be confirmed from the token/code received on the registered email. Check if Application validated a newly created user and allowed to signup.

What went wrong? Allowing users to signup themselves Client id value is disclosed

What can be done? Only allow administrators to create users

● Try to run cognito-idp following command: ● Observed that it’s throws Unauthorized error and that’s confirm that user is not allowed register himself. ● self-registration workflow is no longer accessible by anonymous users! aws cognito-idp confirm-sign-up --client-id < Clientid value> --username --password Why ClientID is not really issue?

How with help of misconfigured attribute attacker can allow to perform privilege escalation?

IdToken contains claims about the identity of the authenticated user such as name, email, and phone_number. AccessToken contains scopes and groups information and it’s used to grant access to authorized resources.

Exploitation scenario ● List User Attributes by using command using the AWS command-line interface: ● Look for custom user attribute. ● Custom user attribute is created by an application developer when the built-in standard user attributes are not sufficient or applicable. e.g. adding a boolean isAdmin flag, role to your User object. aws cognito-idp get-user --access-token $token

Custom user attribute Gets the user attributes & metadata for a user in a Cognito user pool Command returns an array of name-value pairs that represent user attributes List user attributes

Try to update user attribute value ● Run following command to update user custom attribute: aws cognito-idp update-user-attributes --access-token --user-attributes Name="custom:isAdmin",Value="true" Verify if command returns a successful update of user's custom:isAdmin attribute, updating it to true !!! If attempt to update the custom:isAdmin attribute would fail with the following error: NotAuthorizedException, Then confirm that attribute is set to read only access.

Try to re-attempt login Check if you are able to update user attribute value successfully. Verify if user is able to perform actions as an admin Check if custom user attributes are present List user attributes Approach

What was causing the issue ? Custom user attribute is writeable

What can be done ? Update by unchecking custom:isAdmin attribute’s write check box and verify that attribute has to read-only access. aws cognito-idp update-user-attributes --access-token --user-attributes Name="custom:isAdmin",Value="true" Observed that it’s not allowing to update value of user attribute and throws error "NotAuthorizedExc eption"

Approach List user attributes See if custom user attribute is present Try to update custom user attribute value

Q/A @sheth_kavisha

References ● https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html ● https://andresriancho.com/wp-content/uploads/2019/06/whitepaper-internet-scale-analysis-of- aws-cognito-security.pdf ● https://curlsandbun.medium.com/compromising-s3-buckets-through-misconfigured-aws-cogni to-e23f08b2f475 ● https://github.com/andresriancho/enumerate-iam ● https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

Get in Touch at ● Twitter - @sheth_kavisha https://twitter.com/sheth_kavisha ● LinkedIn - Kavisha-sheth https://in.linkedin.com/in/kavisha-sheth

Kavisha sheth