Amazon Cognito (Mis)Configurations

hey so we are going to discuss most uh almost everyone want to understand what is going with the amazon and like so so many bridges are going on right so so i have covered right uh for this talk right it's amazing cognitive misconfiguration so before we start right little bit around me i'm security analyst at apps echo i have been listed as a security researcher by indian government in their ncibc rvtp newsletter i also spoken at various international and national conferences like oas hacking the paris cocoon defcon cloud village and many more and yeah i'm just a lifelong learner and believing sharing the knowledge and for experience perspective if you talk i hardly had two years of

experience but just i believe sharing the knowledge so yeah you can hit the question but yeah so what's the today agenda of the talk is cognito walking fast if you are not aware what is cognito don't worry i just mentioned in the some brief then we before we understand right what are the exploitation and everything first we try to understand how how the cognate actually works so that you can relate the misconfiguration part then attributes and the possible attack vectors like most of security researcher or the any bounty hunter look for the attack vectors and then also we discuss around the exploitation part and yeah that if any developer is here you might get to know

what were the root causes and what can be done okay so first like what is cognito before i start talking about the cognitive arcane right so if you are aware that that is we are using mobile application and or any modern web app right so you have option to log in with facebook or login with gmail right so how they manage so those are the web identity provider and you have the application it could be a modern web application or it could be a a mobile application right so who's uh managing between it's a cognito so there where the cognito comes in the picture now if we talk about the working of the cognito right how in the background all

things are handled by the cognito that we are going to understand so first when user click on the sign in right it goes to the amazon cognito user pool that manage authentication part that yeah you have logged in so user will manage uh the authentication work so map the word okay that could be helpful in uh when i cover the artic vector so map this keywords user pull authentication it returns the axis and the id tokens that is basically gwd tokens so after that it's verify that and based on that you get the temporary credentials so that's done with the help of cognito identity pool and identity pool managed with the access control like what you can access

right so that's uh relate with the identity pool so you can map it like access and the identity report okay and after that uh this access service like if you talk about like how the user is able to uh access s3 bucket or dyno db data or the lambda functions right for that uh the access at the temporary credentials comes in the picture so that can be done after verifying those jwt token and you get the temporary credential so if you want to uh get the data with the or you want to communicate with the aws service you can't just uh communicate with the help of jwd token right so you get the temporary credential and that's

why whole this cognito things comes in the picture now like we understood okay what is user pool id what is uh identity pool id right and how the cognito works now what are the possible attack vectors so i just mentioned some of that uh in some you have to figure out it's really issue that i'll be covering in outcome so hard-coded identity pool id then identity pool id present in http response then liberal aws permission has been assigned if you think right it's so hard don't worry i'll break it down in upcoming slide i covered one by one so it will be easier for you and miss configure aws cognito attributes and then aws cognitive misconfigured to allow

sign off as a new user so fast ah that is a statement in uh guideline that the disclosure of the ape client id or the user pool id or the identity pool id or the region information right is not misconfiguration since these are not the confidential value that's correct that these are the not confidential value but if i'm attacker right and there is something wrong with the another part of the configuration or there is something more juicy information present right i can just map this uh with the another misconfiguration and i can do the exploitation part so this is partially true you can say uh now we'll cover when it's true and when it's not right sometimes i just

have the identity pool idea and i uh get access to s3 bucket data as well sometimes i had only knowledge of app client and i'm able to register as a new user right so yeah it's a partially true if you are not able to chain it if everything in place then it's true yeah so first one hard coded identity pool id value is disclosed in http response or either could be stored in the javascript file as well okay so it's really a security issue or not you can't just say that hey it's a issue then any developer even i would say why it's issue right why are you saying it's already mentioned that it's a publicly

accessible uh info so you to get into how can you exploit it so to do so uh if you are using bob suit right so to api call to look for uh to find the identity pool id in the request itself it's uh aws cognito identity service get id right so in the request part you will have the identity pool id itself so by this you can try to request to get the identity id again as i told you right the identity id deals with the authentication that's why we are interested into getting it so here we don't have the like in the request itself login or something so we are saying that it's an unauthenticated

identity ideally they if uh developer or any admin right if they are familiar with that they ideally don't allow on authenticate id uh identities and it throws the 4.4 or unauthorized error that's expected right but if not right then what you can do uh using that pool id you can try to get the identity id and after getting identity id you can try to fetch the temporary uh security credentials that where actual thing you can explain that hey i am able to get the security credential uh temporary uh security credential right now to get those credentials right most of people are aware about the border script but that is not only the option to get those credentials right so

sometimes you can do the manually just go in the bob and see in the request try to find those uh this particular api endpoint and request for the temporary credential you might get it right so don't uh just follow the automated tools or something like that you can directly get it if you are about what api call you have to look for third option is running the python script in that you are basically saying that hey this is the region id and i did in pool ids this if you are getting those credential temporary uh security credential right the uh key id or the token right see what kind of access you have so this

is how you can see that i was only knowing the region id and the identity pool id but still i'm getting credentials so that's why you are saying that it's an issue but you are not able to get the credential right so you can't just say it's the issue you are able to see it but you are not able to exploit it right so that's another issue so this how you determine right so that's why it's being said don't uh just say it's issue try to see what impact it create and how can you exploit you got the temporary credential right so i already mentioned that what you can do so you innovate the permission either

you use the command line and configure the profile and see what kind of permission manually or you can directly use the enumerate im tool it will help you to see what kind of permission that particular user is holding so uh so that's how you can see okay you got the credential but the user is not having that high like you can still inform the developer or your team or your client that hey i'm able to get this credential but we are not getting the enough uh access right if you are not able to get the s3 or the nec to instance or the lambda right but you are only able to access the credential is the issue for you guys at least you

should inform them if sometimes you might get the credentials and they those particular credential might have the admin level or sometimes the user that only have the access to s3 right that is again issue right because that s3 bucket is supposed to use by within organization but you are able to get it right so that's again issue uh yeah so that's what i have mentioned verify if you get any sensitive information or if you get any interesting permission right so another thing i have mentioned right sometimes you get the error hey um you have requests for the this id thing but you are not authorized to do so you are unauthenticated person right so what

you do in this case you say it's not a security issue now you should go further ahead and try access to unauthentic unauthenticated identity was disabled yeah yeah that's uh done right what can be done so run python script that what i have covered and tried to identify that application expose some functionality due to aws misconfiguration now if you are wondering right what can be so it could be app client id now how can be app client id can be useful for you that we again gonna discuss in upcoming slides so just keep in mind just don't stop that hey we are not able to do it uh sometimes we just get frustrated right and we say no

there is nothing possible but uh yeah you should go further what else you can find right so yeah the client id i have mentioned right so client id is value disclosed you find it some people say it's not a issue yeah it's not an issue if you are not able to do something with it but here i can show you what can you do with the only knowledge of the client idea and some obviously misconfiguration should be there and what misconfiguration that we again discuss what causes to this issue that client id disclose is helping us to performing self registration so first knowing client id to performing self register okay so first i will be

covering uh how you can do with the using aws command line or the cli right uh then i'll be discussing uh in the bonus tip that how can you use uh instead of going with the command line right how can you use bobsled to do same instead of if you are don't want to remember those commands right you can go with the box it as well like if you are testing you can directly go hard so yeah first we are going to discuss this one so i mentioned that aws cognito idp confirm sign up okay client id that you got the value of the client id value then you mention user name as your email id okay

i'm an article i see i want to sign up right and the password i will mention anything abcd123 right so if you are not our like some of the aws security terms or any command terms so i have break it down so cognito idp basically uh for creating and modifying the user's application pool data right and again the sign up that's basically talk about this item thing right and client id it's everything is known to you so yeah so basically what we are saying that yeah i know the client id i'm the user and this is my password right so i try to sign up as a attacker in that particular application ideally should not allow

but as it allowing so you get the success right so after that uh see if you are like if you are if i say abc gmail.com right see in that particular mail id if you are getting any code after getting that code uh try to complete the whole registration process again by aws cognito idp confirm sign up and here i will be mentioning email id and the confirmation code so whole registration process will be complete from my site as an attacker in your application so yeah so after that you just check whether success or fail if you see right you got the password you got the code right that is still uh not sure that if

you have com there are some like i have seen that i was able to complete the whole password thing i was getting the code as well but i somehow when i passed the code right they have some code in place and they restricting so complete that if you are really able to complete the registration if registration is successful then try to log in uh with the newly registered account if you are registered with newly created account then congratulation you can tell it just knowing by client id you can do the search registration right but really the knowing the client id was really an issue or there is something phishing going on right there is something wrong with

something uh while doing the cognitive configuration part so but before that uh i talk about that right that i'll discuss how can you don't have to go through whole process with the command line you can simply go uh if you are using buffs it right you can simply look for this api call confirm sign up right and then in particular request you will be having the email id so you just change uh mail id and see if you are getting 200 okay if yes see your mail uh if you are getting code or not right sometimes uh some client are so genius i would say they say okay but eventually you will not get the

code okay so it's just like fooling that tiger so confirm it and then complete the whole registration process so so far what was our approach check if confirmation email uh sent to the article specify email id yes check if user account can be confirmed from the token or the code received on the registration email right and then check if application validated a newly created user to allow sign up right if you say i'm getting the code i'm done no it's not you have to complete the registration check if you are really able to complete the whole registration part so what went wrong to lead to this if you think right the client id value is

disclosed okay it's disclosed but main reason is allowing users to sign up their uh okay so ideally uh so there are two options only allow administrator to create user uh there is another option allow user to sign up themselves so this is what it bring to the whole attack it's not only knowing the client id think a scenario if i know client id and the only allow administrator to create a user is enabled right even though you know client id but you are not able to uh sign up yourself would it be issue no right there is no impact and there is no attack in place so that's why knowing client id it's not enough

but yeah knowing client id and you are saying that yeah it's only client id that's again uh not enough you should see the exploitation part here we did right so what can be done you get to know yeah it's because of this you are able to do the whole signup procedures just only allow administrator to create that users ah as i mentioned why uh like why client ice client id is not really an issue if you try running this command right which i mentioned earlier aws cognito idp confirm sign up then you mention client id and the email id and the password right eventually it throws the error that unauthorized error why because now you have explicitly mentioned that yeah

only authorized uh user or the administrator is allowed right so that's why only knowing client id is not an issue but if you are able to chaining it then it's the issue right so yeah how with the help of misconfigure attributes attacker can allow to perform privilege escalation so if you are confused about the attributes and privilege escalation everyone must be aware about what is privilege escalation so but how the attribute can help you right so that in like amazon cognate all right you have two attributes one is the standards which have the email id contact information and second where you mention the custom attributes uh customer attributes where you see right is uh user is admin right

or you explicitly mention role like any application have the admin on web developer right so those are the different roles so how they handle it uh if they are using cognito they explicitly mentioned the rules and how they are handling using custom attributes so here we mostly focus on the custom attributes so yeah this is the uh one of the screenshot i have taken that it's having in self id token access token and refresh token if you are testing the modern web application you will see this uh so basically if you are not aware what is id token id tokens its identity of authenticated users such as name email id phone number right and access

token contains so it's deal with the scope right so if you talk about scope uh like you can think about the authorization part but yeah whole like id token access token refresh token if talk right if you only checking for authorization then you have to consider three of them but how the cognito deals with that access token right now you are no like aware that what is the standard attribute and what is the custom attributes right so let's talk about the exploitation part so first i i have somehow access to the id access token right but as we discussed that only access token is deals with the scoping thing and the authorization part right so what i will focus on to list the user

attributes that aw is cognito idp get user access token where i mentioned like ask for the getting the uh i just mentioned the access token so it will list out the whole uh attributes for me in that i'll be look for the custom attributes as i mentioned customer attribute could be so you have like custom and i have the screenshot don't worry if you are getting that it's a theory but i have the screenshot you will get to know how the custom attribute look like so it's basically you will see anything except from the standard attributes it would be custom and you will get to know so it says custom and then you have the

attribute name so that's how you get to know what is the custom attribute then custom attribute user is created by an application developer when built-in standard user attributes are not sufficient or applicable which i already mentioned right adding a boolean is admin flag a role to the user object right so this is where the custom attributes comes in the picture so yeah when you try to list the user attributes right so here i say get user so it helps me to list out the whole attributes and the metadata for that particular user now if you see right the name email id phone number those are the standard attributes we are not bothering about that only uh we are

having the interest around is custom attributes see it's what is look like custom and is admin false so what is basically saying that is the admin is false that for that particular user is not having access as an admin so if i'm article right i also always look into why should i only have access to this why shouldn't i can access the admin or any above me right if i'm a tester i could i have access as a developer if i'm developer i could have access to admin right so you must be interested in like everyone like every security researcher must be looking getting more privileges so to do so and to update the user

attribute value right uh you just simply try to attempt uh is admin a value to the like is admin right so it's talking about in terms of uh true or false right so you try to update with the true and so here i have run this command that aws cognitor idp update user attribute and i'm mentioning token obviously that how though cognito understand that what i'm trying to convey and user attribute name i'm saying that custom is admin value is true okay i'm exclusively mentioning that uh i want to be this user to be admin if it's showing that not authorize the exception that's all right yeah they have some configuration in place if not right then it's the issue you are

you can just uh have the instead of having access as a developer you can have access as admin so what was the approach so far we started with the getting the those like if you are tasting any modern web right you have the this uh access token or refresh token or id token right so using those access token you can try to list the user attributes check if custom users are present i have highlighted this because major cause and the major route that help us is custom user item but not the standard user attributes check if you are able to update user uh attribute successfully right if you are not able to do that again

that's not a really issue because they have a configuration in place now what configuration that also i have covered in the like upcoming slides you will see what leads to to update this uh value and not throwing that uh not authorized error okay and then you try to re-attempt the login and verify if user is able to perform action such as an admin so this is whole like it's uh so if you think right the attack floyd quite simple but most of people miss this because either they think that cognate okay it's only used for to sign up and it's working in between web identity and the application so yeah that what it leads to the

misconfiguration most of time and most of people uh ignore this part so ah now you are aware right so what can be done update by unchecking custom is admin attribute right checkbox so if you think right in the cognito configuration when you create the whole uh setup right you have option to update the attribute value so while you are providing access right make sure the right access it's uh unchecked so that's how you prevent it right uh so after doing so if i run again same command it will throws me unauthorized error why because i just stop it and i say hey this is only read only access you can't do any actions you only can see you

can't perform any uh actions all around it right so yeah approach again list user attributes see if custom user attributes present and try to update the custom user uh attribute value like it's in general uh same it's simple flow but most of people ignore this and there are so many uh cases that self registration and the custom uh due to the custom user attribute right though you can really perform the privilege escalation it sounds silly but you notice many big organization also make this kind of mistake so yeah uh if you have any question around it or you can get in touch with me either on twitter on linkedin thank you [Applause]