Using Cognito for authentication is quite popular nowadays specially in mobile apps.

Developers often hardcode Cognito Identity Pool which allows an unauthenticated attacker to possibly abuse the AWS services associated with that pool identity.

One of the quick and easiest way to identify a hardcoded Cognito Identity Pool is by running the Nuclei template aws-cognito.yaml on a decompiled Android app.

This can be done by running the following command:

echo /output_apktool/ | nuclei -t /file/Keys/aws-cognito.yaml

Once you identify the Cognito Identity Pool, you can take the following steps to identify whether Cognito Identity Pool is following the privilege of least principle:

1. Extract AWS credentials (access_key, secret_key and session_token ) from the identity pool.

2. Enumerate permission for the unauthenticated role.

3. Escalate privileges by abusing permissions.

Challenge

InsecureShop application implements misconfigured AWS cognito instance that can be used to access AWS S3 bucket. Can you find the content or access files within the S3 bucket?

If you can solve this one, you'll get a beer 🍺

Reference: