SlideShare uma empresa Scribd logo

Hunting AWS Cognito Security Misconfigurations

S
seed4mexyz

1. The document discusses security misconfigurations that can occur when using Amazon Cognito for user authentication. 2. It describes how an unauthenticated user could potentially access AWS services by fetching temporary credentials from an identity pool if the unauthenticated role is not disabled. 3. It also explains how an attacker could bypass authentication by enabling user signup if that API action is not disabled for applications that do not require signup. 4. Additional misconfigurations discussed include privilege escalation through writable user attributes, and updating a user's email attribute before verification which could allow bypassing authorization checks.

Tecnologia
1 de 38
Baixar para ler offline
Hunting For AWS Cognito Security Misconfigurations Yassine Aboukir (@yassineaboukir)
Introduction Yassine Aboukir (@yassineaboukir) ● Application security consultant. ● Pentester at HackerOne. ● Bug Bounties (since 2014): HackerOne Top 20, H1-303 MVH & 1st place. ● ex- HackerOne Triage (2017 - 2019). ● Digital nomad (5 years & Over 40 countries).
Introduction to AWS Cognito With Amazon Cognito, you can add user sign-up and sign-in features and control access to your web and mobile applications. Amazon Cognito provides an identity store that scales to millions of users, supports social and enterprise identity federation, and offers advanced security features to protect your consumers and business. Source: https://aws.amazon.com/cognito/
Introduction to AWS Cognito Amazon Cognito makes it easier for you to manage user identities, authentication, and permissions. It consists of two main components: ● User Pools: allow sign-in and sign-up functionality. ● Identity Pools: allow authenticated and unauthenticated users to access AWS resources using temporary AWS credentials.
Introduction to AWS Cognito Source: https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/
How to tell if an application is using Amazon Cognito? API calls to AWS Cognito API endpoint ● Yellow: API calls to user pool. ● Green: API calls to identity pool.
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user To generate the AWS credentials, we need to find Identity Pool ID which is usually hardcoded in the source code, in a bundled JS file or in HTTP response. Other useful information that you can find: ● Client ID ● User Pool ID ● Region Identity Pool ID Client ID User Pool ID Region
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Using Burpsuite, search for a variation of the following keywords in the HTTP history: Aws_cognito_identity_pool_id identityPoolId cognitoIdentityPoolId userPoolWebClientId userPoolId aws_user_pools_id These hardcoded IDs aren’t considered sensitive on their own!
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Next step is to use the Pool Identity ID to generate an Identity ID. Use AWS-Cli (https://github.com/aws/aws-cli) as follows: $ aws cognito-identity get-id --identity-pool-id <identity-pool-id> --region <region>
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Next step is to use the previous Identity ID to generate AWS credentials. Use AWS Cli as follows: $ aws cognito-identity get-credentials-for-identity --identity-id <identity-id> --region <region>
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Now, we can enumerate permissions associated with these credentials using a tool such as: ● Enumerate-iam: https://github.com/andresriancho/enumerate-iam ● Scout Suite: https://github.com/nccgroup/ScoutSuite $ ./enumerate-iam.py --access-key <AccessKeyID> --secret-key <SecretKey> --session-token <SessionToken> Enumerated permissions
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user You could enumerate all sort of permissions that allows unauthenticated user to access AWS services: ● dynamodb.list_backups() ● dynamodb.list_tables() ● lambda.list_functions() ● s3.list_buckets() ● etc.
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials If the unauthenticated role is explicitly disabled. You’ll will receive similar error: NotAuthorizedException: Unauthenticated access is not supported for this identity pool.
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 2. Try to fetch temporary AWS credentials using authenticated user Assuming unauthenticated user is disabled and you either can sign up or have access to an authenticated account. Observe the HTTP traffic upon successful authentication: Id_token is exchanged for temporary AWS credentials: ● AccessKeyId ● SecretKey ● SessionToken
Security misconfiguration #2: Authentication bypass due to enabled Signup API action Applications not offering user signup and only supporting administrative provision of accounts could be vulnerable as a result of not disabling signup API action. This includes admin login portals which implement AWS cognito allowing authentication bypass as a result.
Security misconfiguration #2: Authentication bypass due to enabled Signup API action Self-registration enabled by default when creating a new user pool
Security misconfiguration #2: Authentication bypass due to enabled Signup API action We only need the client ID and region to test against the self-registration. $ aws cognito-idp sign-up --client-id <client-id> --username <email-address> --password <password> --region <region> Successful singup Failed signup
Security misconfiguration #2: Authentication bypass due to enabled Signup API action We only need the client ID and region to test against the self-registration. AWSCognitoIdentityProviderService.SignUp
Security misconfiguration #2: Authentication bypass due to enabled Signup API action In case of a successful self-registration, a 6 digits confirmation code will be delivered to the attacker’s email address. $ aws cognito-idp confirm-sign-up --client-id <client-id> --username <email-address> --confirmation-code <confirmation-code> --region <region> You’ll need to confirm the account next.
Security misconfiguration #2: Authentication bypass due to enabled Signup API action You can also directly call the Cognito API endpoint as follows: AWSCognitoIdentityProviderService.ConfirmSignUp
Security misconfiguration #2: Authentication bypass due to enabled Signup API action Sometimes, you might successfully be able to signup and register an account but it doesn’t have any user group assigned. However, you will be able to obtain temporary AWS credentials which you can test against liberal permissions as we explained earlier.
Security misconfiguration #3: Privilege escalation through writable user attributes Attributes are pieces of information that help you identify individual users, such as name, email address, and phone number. A new user pool has a set of default standard attributes.
Security misconfiguration #3: Privilege escalation through writable user attributes You can also add custom attributes to your user pool definition in the AWS Management Console.
Security misconfiguration #3: Privilege escalation through writable user attributes Unless set as readable only, the new custom attribute permission is writable by default which allows the user to update its value.
Security misconfiguration #3: Privilege escalation through writable user attributes 1. Fetching user attributes In order to test against this misconfiguration, you need to be authenticated then we’ll fetch the available user attributes using the generated access token (Check Authorization header). $ aws cognito-idp get-user --region <region> --access-token <access-token>
Security misconfiguration #3: Privilege escalation through writable user attributes 1. Fetching user attributes
Security misconfiguration #3: Privilege escalation through writable user attributes AWSCognitoIdentityProviderService.GetUser 1. Fetching user attributes Look out for custom attributes such as: custom:isAdmin custom:userRole custom:isActive custom:isApproved custom:accessLevel
Security misconfiguration #3: Privilege escalation through writable user attributes 2. Updating user attributes $ aws cognito-idp update-user-attributes --access-token <access-token> --region <region> --user-attributes Name="<attribute-name>", Value="<new-value>" AWSCognitoIdentityProviderService.UpdateUserAttributes
Security misconfiguration #3: Privilege escalation through writable user attributes
Security misconfiguration #4: Updating email attribute before verification There scenarios where the user isn’t allowed to update their email address due to both client and server-side security controls. However, by leveraging Cognito API, it might also be possible to bypass this restriction. $ aws cognito-idp update-user-attributes --access-token <access-token> --region <region> --user-attributes Name="email", Value="<new-email-address>"
This is especially bad when verification isn’t required. If the email is relied upon for authorization and access control, this will result in horizontal and vertical privilege escalation. Security misconfiguration #4: Updating email attribute before verification
Even with email verification enabled, most applications will update the email attribute value to the new unverified email address. Security misconfiguration #4: Updating email attribute before verification
This is bad because the user will be still be able to login and obtain an authenticated access token using the unverified email address. Many application do not necessarily check if email_verified is set to True or False. Therefore, this would bypass any security controls that relies on email domain for authorization, hence privilege escalation. Security misconfiguration #4: Updating email attribute before verification
AWS has introduced a new security configuration to mitigate this issue, so if you have Keep original attribute value active when an update is pending explicitly enabled the email attribute will not be updated to the new email address until it is verified. This is a new security configuration that was only introduced after June 2022 which means a lot of applications might still be misconfigured. Security misconfiguration #4: Updating email attribute before verification
https://hackerone.com/reports/1342088 Security misconfiguration #4: Updating email attribute before verification
1. User victim email is: jack@domain.com 2. Updating email was not possible, but using Cognito API, researcher managed to update their email to Jack@domain.com Misconfigurations: ● Email attribute is writable so it’s possible to update it via Cognito API. ● Email attribute is case-sensitive which could have been set to insensitive from AWS console. 3. Attacker authenticates to Jack@domain.com Misconfigurations: ● email_verified attribute value wasn’t checked if it’s True. ● Keep original attribute value active when an update is pending wasn’t enabled. 4. Flickr normalizes Jack@domain.com email to jack@domain.com (victim) resulting in ATO. Security misconfiguration #4: Updating email attribute before verification
Recommendations for developers ● Remove sensitive details from server responses, including Cognito Identity Pool Id. ● Disable Signup on AWS Cognito if not required. ● Disable unauthenticated role if not required. ● Review IAM policy attached to the authenticated and unauthenticated role to ensure least privilege access. ● Evaluate all user attributes and disable writing permission if not necessary. ● Remember that the email attribute value may hold an unverified email address.
Thank you! Reach out on Twitter @yassineaboukir Or https://yassineaboukir.com

Recomendados

Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Amazon Web Services
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Web Services
 
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksAmazon Web Services
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksAmazon Web Services
 
AWSM2C3.pptx
AWSM2C3.pptxAWSM2C3.pptx
AWSM2C3.pptxRahulDange13
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep DiveAmazon Web Services
 
Add User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon CognitoAdd User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon CognitoAmazon Web Services
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSAWS User Group Kochi
 

Recomendados

Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Amazon Web Services
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Web Services
 
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksAmazon Web Services
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksAmazon Web Services
 
AWSM2C3.pptx
AWSM2C3.pptxAWSM2C3.pptx
AWSM2C3.pptxRahulDange13
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep DiveAmazon Web Services
 
Add User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon CognitoAdd User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon CognitoAmazon Web Services
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSAWS User Group Kochi
 
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...Amazon Web Services
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Amazon Web Services
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Amazon Web Services
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Amazon Web Services
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Amazon Web Services
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIsAmazon Web Services
 
Serverless Authentication and Authorisation
Serverless Authentication and AuthorisationServerless Authentication and Authorisation
Serverless Authentication and AuthorisationAmazon Web Services
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authenticationijtsrd
 
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Amazon Web Services
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesVladimir Budilov
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Amazon Web Services
 
Getting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesGetting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesAmazon Web Services
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Amazon Web Services
 
Certification authority
Certification authorityCertification authority
Certification authorityproser tech
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdfRubersy Ramos García
 
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Web Services
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Amazon Web Services
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityAshKhan85
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Mais conteúdo relacionado

Semelhante a Hunting AWS Cognito Security Misconfigurations

[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...Amazon Web Services
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Amazon Web Services
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Amazon Web Services
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Amazon Web Services
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Amazon Web Services
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIsAmazon Web Services
 
Serverless Authentication and Authorisation
Serverless Authentication and AuthorisationServerless Authentication and Authorisation
Serverless Authentication and AuthorisationAmazon Web Services
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authenticationijtsrd
 
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Amazon Web Services
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesVladimir Budilov
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Amazon Web Services
 
Getting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesGetting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesAmazon Web Services
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Amazon Web Services
 
Certification authority
Certification authorityCertification authority
Certification authorityproser tech
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Web Services
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Amazon Web Services
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityAshKhan85
 

Semelhante a Hunting AWS Cognito Security Misconfigurations (20)

[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
 
Serverless Authentication and Authorisation
Serverless Authentication and AuthorisationServerless Authentication and Authorisation
Serverless Authentication and Authorisation
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
 
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutes
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
 
Getting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesGetting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar Series
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
 
Certification authority
Certification authorityCertification authority
Certification authority
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
 
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
 

Último

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Último (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Hunting AWS Cognito Security Misconfigurations

  • 1. Hunting For AWS Cognito Security Misconfigurations Yassine Aboukir (@yassineaboukir)
  • 2. Introduction Yassine Aboukir (@yassineaboukir) ● Application security consultant. ● Pentester at HackerOne. ● Bug Bounties (since 2014): HackerOne Top 20, H1-303 MVH & 1st place. ● ex- HackerOne Triage (2017 - 2019). ● Digital nomad (5 years & Over 40 countries).
  • 3. Introduction to AWS Cognito With Amazon Cognito, you can add user sign-up and sign-in features and control access to your web and mobile applications. Amazon Cognito provides an identity store that scales to millions of users, supports social and enterprise identity federation, and offers advanced security features to protect your consumers and business. Source: https://aws.amazon.com/cognito/
  • 4. Introduction to AWS Cognito Amazon Cognito makes it easier for you to manage user identities, authentication, and permissions. It consists of two main components: ● User Pools: allow sign-in and sign-up functionality. ● Identity Pools: allow authenticated and unauthenticated users to access AWS resources using temporary AWS credentials.
  • 5. Introduction to AWS Cognito Source: https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/
  • 6. How to tell if an application is using Amazon Cognito? API calls to AWS Cognito API endpoint ● Yellow: API calls to user pool. ● Green: API calls to identity pool.
  • 7. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user To generate the AWS credentials, we need to find Identity Pool ID which is usually hardcoded in the source code, in a bundled JS file or in HTTP response. Other useful information that you can find: ● Client ID ● User Pool ID ● Region Identity Pool ID Client ID User Pool ID Region
  • 8. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Using Burpsuite, search for a variation of the following keywords in the HTTP history: Aws_cognito_identity_pool_id identityPoolId cognitoIdentityPoolId userPoolWebClientId userPoolId aws_user_pools_id These hardcoded IDs aren’t considered sensitive on their own!
  • 9. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Next step is to use the Pool Identity ID to generate an Identity ID. Use AWS-Cli (https://github.com/aws/aws-cli) as follows: $ aws cognito-identity get-id --identity-pool-id <identity-pool-id> --region <region>
  • 10. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Next step is to use the previous Identity ID to generate AWS credentials. Use AWS Cli as follows: $ aws cognito-identity get-credentials-for-identity --identity-id <identity-id> --region <region>
  • 11. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Now, we can enumerate permissions associated with these credentials using a tool such as: ● Enumerate-iam: https://github.com/andresriancho/enumerate-iam ● Scout Suite: https://github.com/nccgroup/ScoutSuite $ ./enumerate-iam.py --access-key <AccessKeyID> --secret-key <SecretKey> --session-token <SessionToken> Enumerated permissions
  • 12. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user You could enumerate all sort of permissions that allows unauthenticated user to access AWS services: ● dynamodb.list_backups() ● dynamodb.list_tables() ● lambda.list_functions() ● s3.list_buckets() ● etc.
  • 13. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials If the unauthenticated role is explicitly disabled. You’ll will receive similar error: NotAuthorizedException: Unauthenticated access is not supported for this identity pool.
  • 14. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 2. Try to fetch temporary AWS credentials using authenticated user Assuming unauthenticated user is disabled and you either can sign up or have access to an authenticated account. Observe the HTTP traffic upon successful authentication: Id_token is exchanged for temporary AWS credentials: ● AccessKeyId ● SecretKey ● SessionToken
  • 15. Security misconfiguration #2: Authentication bypass due to enabled Signup API action Applications not offering user signup and only supporting administrative provision of accounts could be vulnerable as a result of not disabling signup API action. This includes admin login portals which implement AWS cognito allowing authentication bypass as a result.
  • 16. Security misconfiguration #2: Authentication bypass due to enabled Signup API action Self-registration enabled by default when creating a new user pool
  • 17. Security misconfiguration #2: Authentication bypass due to enabled Signup API action We only need the client ID and region to test against the self-registration. $ aws cognito-idp sign-up --client-id <client-id> --username <email-address> --password <password> --region <region> Successful singup Failed signup
  • 18. Security misconfiguration #2: Authentication bypass due to enabled Signup API action We only need the client ID and region to test against the self-registration. AWSCognitoIdentityProviderService.SignUp
  • 19. Security misconfiguration #2: Authentication bypass due to enabled Signup API action In case of a successful self-registration, a 6 digits confirmation code will be delivered to the attacker’s email address. $ aws cognito-idp confirm-sign-up --client-id <client-id> --username <email-address> --confirmation-code <confirmation-code> --region <region> You’ll need to confirm the account next.
  • 20. Security misconfiguration #2: Authentication bypass due to enabled Signup API action You can also directly call the Cognito API endpoint as follows: AWSCognitoIdentityProviderService.ConfirmSignUp
  • 21. Security misconfiguration #2: Authentication bypass due to enabled Signup API action Sometimes, you might successfully be able to signup and register an account but it doesn’t have any user group assigned. However, you will be able to obtain temporary AWS credentials which you can test against liberal permissions as we explained earlier.
  • 22. Security misconfiguration #3: Privilege escalation through writable user attributes Attributes are pieces of information that help you identify individual users, such as name, email address, and phone number. A new user pool has a set of default standard attributes.
  • 23. Security misconfiguration #3: Privilege escalation through writable user attributes You can also add custom attributes to your user pool definition in the AWS Management Console.
  • 24. Security misconfiguration #3: Privilege escalation through writable user attributes Unless set as readable only, the new custom attribute permission is writable by default which allows the user to update its value.
  • 25. Security misconfiguration #3: Privilege escalation through writable user attributes 1. Fetching user attributes In order to test against this misconfiguration, you need to be authenticated then we’ll fetch the available user attributes using the generated access token (Check Authorization header). $ aws cognito-idp get-user --region <region> --access-token <access-token>
  • 26. Security misconfiguration #3: Privilege escalation through writable user attributes 1. Fetching user attributes
  • 27. Security misconfiguration #3: Privilege escalation through writable user attributes AWSCognitoIdentityProviderService.GetUser 1. Fetching user attributes Look out for custom attributes such as: custom:isAdmin custom:userRole custom:isActive custom:isApproved custom:accessLevel
  • 28. Security misconfiguration #3: Privilege escalation through writable user attributes 2. Updating user attributes $ aws cognito-idp update-user-attributes --access-token <access-token> --region <region> --user-attributes Name="<attribute-name>", Value="<new-value>" AWSCognitoIdentityProviderService.UpdateUserAttributes
  • 29. Security misconfiguration #3: Privilege escalation through writable user attributes
  • 30. Security misconfiguration #4: Updating email attribute before verification There scenarios where the user isn’t allowed to update their email address due to both client and server-side security controls. However, by leveraging Cognito API, it might also be possible to bypass this restriction. $ aws cognito-idp update-user-attributes --access-token <access-token> --region <region> --user-attributes Name="email", Value="<new-email-address>"
  • 31. This is especially bad when verification isn’t required. If the email is relied upon for authorization and access control, this will result in horizontal and vertical privilege escalation. Security misconfiguration #4: Updating email attribute before verification
  • 32. Even with email verification enabled, most applications will update the email attribute value to the new unverified email address. Security misconfiguration #4: Updating email attribute before verification
  • 33. This is bad because the user will be still be able to login and obtain an authenticated access token using the unverified email address. Many application do not necessarily check if email_verified is set to True or False. Therefore, this would bypass any security controls that relies on email domain for authorization, hence privilege escalation. Security misconfiguration #4: Updating email attribute before verification
  • 34. AWS has introduced a new security configuration to mitigate this issue, so if you have Keep original attribute value active when an update is pending explicitly enabled the email attribute will not be updated to the new email address until it is verified. This is a new security configuration that was only introduced after June 2022 which means a lot of applications might still be misconfigured. Security misconfiguration #4: Updating email attribute before verification
  • 35. https://hackerone.com/reports/1342088 Security misconfiguration #4: Updating email attribute before verification
  • 36. 1. User victim email is: jack@domain.com 2. Updating email was not possible, but using Cognito API, researcher managed to update their email to Jack@domain.com Misconfigurations: ● Email attribute is writable so it’s possible to update it via Cognito API. ● Email attribute is case-sensitive which could have been set to insensitive from AWS console. 3. Attacker authenticates to Jack@domain.com Misconfigurations: ● email_verified attribute value wasn’t checked if it’s True. ● Keep original attribute value active when an update is pending wasn’t enabled. 4. Flickr normalizes Jack@domain.com email to jack@domain.com (victim) resulting in ATO. Security misconfiguration #4: Updating email attribute before verification
  • 37. Recommendations for developers ● Remove sensitive details from server responses, including Cognito Identity Pool Id. ● Disable Signup on AWS Cognito if not required. ● Disable unauthenticated role if not required. ● Review IAM policy attached to the authenticated and unauthenticated role to ensure least privilege access. ● Evaluate all user attributes and disable writing permission if not necessary. ● Remember that the email attribute value may hold an unverified email address.
  • 38. Thank you! Reach out on Twitter @yassineaboukir Or https://yassineaboukir.com