Challenges
  • Introduction
  • InsecureShop Challenges
    • Hardcoded Credentials
    • Insufficient URL Validation
    • Weak Host Validation
    • Arbitrary Code Execution
    • Intent Redirection (Access to Protected Components)
    • Unprotected Data URIs
    • Theft of Arbitrary files from LocalStorage
    • Using Components with Known Vulnerabilities
    • Insecure Broadcast Receiver
    • AWS Cognito Misconfiguration
    • Insecure use of FilePaths in FileProvider
    • Use of Implicit intent to send a broadcast with sensitive data
    • Intercepting Implicit intent to load arbitrary URL
    • Insecure Implementation of SetResult in exported Activity
    • Insecure Content Provider
    • Lack of SSL Certificate Validation
    • Insecure Webview Properties Enabled
    • Insecure Data Storage
    • Insecure Logging
Powered by GitBook
On this page
  • Challenge
  • Reference:

Was this helpful?

  1. InsecureShop Challenges

AWS Cognito Misconfiguration

PreviousInsecure Broadcast ReceiverNextInsecure use of FilePaths in FileProvider

Last updated 3 years ago

Was this helpful?

Using Cognito for authentication is quite popular nowadays specially in mobile apps.

Developers often hardcode Cognito Identity Pool which allows an unauthenticated attacker to possibly abuse the AWS services associated with that pool identity.

One of the quick and easiest way to identify a hardcoded Cognito Identity Pool is by running the Nuclei template aws-cognito.yaml on a decompiled Android app.

This can be done by running the following command:

echo /output_apktool/ | nuclei -t /file/Keys/aws-cognito.yaml

Once you identify the Cognito Identity Pool, you can take the following steps to identify whether Cognito Identity Pool is following the privilege of least principle:

  1. Extract AWS credentials (access_key, secret_key and session_token ) from the identity pool.

  2. Enumerate permission for the unauthenticated role.

  3. Escalate privileges by abusing permissions.

Challenge

InsecureShop application implements misconfigured AWS cognito instance that can be used to access AWS S3 bucket. Can you find the content or access files within the S3 bucket?

If you can solve this one, you'll get a beer 🍺

Reference: