AWS Cognito Misconfiguration
Using Cognito for authentication is quite popular nowadays specially in mobile apps.
Developers often hardcode Cognito Identity Pool which allows an unauthenticated attacker to possibly abuse the AWS services associated with that pool identity.
One of the quick and easiest way to identify a hardcoded Cognito Identity Pool is by running the Nuclei template
aws-cognito.yamlon a decompiled Android app.
This can be done by running the following command:
echo /output_apktool/ | nuclei -t /file/Keys/aws-cognito.yaml
Once you identify the Cognito Identity Pool, you can take the following steps to identify whether Cognito Identity Pool is following the privilege of least principle:
- 1.Extract AWS credentials (
session_token) from the identity pool.
- 2.Enumerate permission for the unauthenticated role.
- 3.Escalate privileges by abusing permissions.
InsecureShop application implements misconfigured AWS cognito instance that can be used to access AWS S3 bucket. Can you find the content or access files within the S3 bucket?
If you can solve this one, you'll get a beer 🍺