SlideShare une entreprise Scribd logo

NahamConEU2022.pdf

S
seed4mexyz

1. The document discusses security misconfigurations that can occur when using Amazon Cognito for user authentication. 2. It describes how an unauthenticated user could potentially access AWS services by fetching temporary credentials from an identity pool if the unauthenticated role is not disabled. 3. It also explains how an attacker could bypass authentication by enabling user signup if that API action is not disabled for applications that do not require signup. 4. Additional misconfigurations discussed include privilege escalation through writable user attributes, and updating a user's email attribute before verification which could allow bypassing authorization checks.

Technologie
1  sur  38
Télécharger pour lire hors ligne
Hunting For AWS Cognito Security Misconfigurations Yassine Aboukir (@yassineaboukir)
Introduction Yassine Aboukir (@yassineaboukir) ● Application security consultant. ● Pentester at HackerOne. ● Bug Bounties (since 2014): HackerOne Top 20, H1-303 MVH & 1st place. ● ex- HackerOne Triage (2017 - 2019). ● Digital nomad (5 years & Over 40 countries).
Introduction to AWS Cognito With Amazon Cognito, you can add user sign-up and sign-in features and control access to your web and mobile applications. Amazon Cognito provides an identity store that scales to millions of users, supports social and enterprise identity federation, and offers advanced security features to protect your consumers and business. Source: https://aws.amazon.com/cognito/
Introduction to AWS Cognito Amazon Cognito makes it easier for you to manage user identities, authentication, and permissions. It consists of two main components: ● User Pools: allow sign-in and sign-up functionality. ● Identity Pools: allow authenticated and unauthenticated users to access AWS resources using temporary AWS credentials.
Introduction to AWS Cognito Source: https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/
How to tell if an application is using Amazon Cognito? API calls to AWS Cognito API endpoint ● Yellow: API calls to user pool. ● Green: API calls to identity pool.
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user To generate the AWS credentials, we need to find Identity Pool ID which is usually hardcoded in the source code, in a bundled JS file or in HTTP response. Other useful information that you can find: ● Client ID ● User Pool ID ● Region Identity Pool ID Client ID User Pool ID Region
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Using Burpsuite, search for a variation of the following keywords in the HTTP history: Aws_cognito_identity_pool_id identityPoolId cognitoIdentityPoolId userPoolWebClientId userPoolId aws_user_pools_id These hardcoded IDs aren’t considered sensitive on their own!
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Next step is to use the Pool Identity ID to generate an Identity ID. Use AWS-Cli (https://github.com/aws/aws-cli) as follows: $ aws cognito-identity get-id --identity-pool-id <identity-pool-id> --region <region>
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Next step is to use the previous Identity ID to generate AWS credentials. Use AWS Cli as follows: $ aws cognito-identity get-credentials-for-identity --identity-id <identity-id> --region <region>
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Now, we can enumerate permissions associated with these credentials using a tool such as: ● Enumerate-iam: https://github.com/andresriancho/enumerate-iam ● Scout Suite: https://github.com/nccgroup/ScoutSuite $ ./enumerate-iam.py --access-key <AccessKeyID> --secret-key <SecretKey> --session-token <SessionToken> Enumerated permissions
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user You could enumerate all sort of permissions that allows unauthenticated user to access AWS services: ● dynamodb.list_backups() ● dynamodb.list_tables() ● lambda.list_functions() ● s3.list_buckets() ● etc.
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials If the unauthenticated role is explicitly disabled. You’ll will receive similar error: NotAuthorizedException: Unauthenticated access is not supported for this identity pool.
Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 2. Try to fetch temporary AWS credentials using authenticated user Assuming unauthenticated user is disabled and you either can sign up or have access to an authenticated account. Observe the HTTP traffic upon successful authentication: Id_token is exchanged for temporary AWS credentials: ● AccessKeyId ● SecretKey ● SessionToken
Security misconfiguration #2: Authentication bypass due to enabled Signup API action Applications not offering user signup and only supporting administrative provision of accounts could be vulnerable as a result of not disabling signup API action. This includes admin login portals which implement AWS cognito allowing authentication bypass as a result.
Security misconfiguration #2: Authentication bypass due to enabled Signup API action Self-registration enabled by default when creating a new user pool
Security misconfiguration #2: Authentication bypass due to enabled Signup API action We only need the client ID and region to test against the self-registration. $ aws cognito-idp sign-up --client-id <client-id> --username <email-address> --password <password> --region <region> Successful singup Failed signup
Security misconfiguration #2: Authentication bypass due to enabled Signup API action We only need the client ID and region to test against the self-registration. AWSCognitoIdentityProviderService.SignUp
Security misconfiguration #2: Authentication bypass due to enabled Signup API action In case of a successful self-registration, a 6 digits confirmation code will be delivered to the attacker’s email address. $ aws cognito-idp confirm-sign-up --client-id <client-id> --username <email-address> --confirmation-code <confirmation-code> --region <region> You’ll need to confirm the account next.
Security misconfiguration #2: Authentication bypass due to enabled Signup API action You can also directly call the Cognito API endpoint as follows: AWSCognitoIdentityProviderService.ConfirmSignUp
Security misconfiguration #2: Authentication bypass due to enabled Signup API action Sometimes, you might successfully be able to signup and register an account but it doesn’t have any user group assigned. However, you will be able to obtain temporary AWS credentials which you can test against liberal permissions as we explained earlier.
Security misconfiguration #3: Privilege escalation through writable user attributes Attributes are pieces of information that help you identify individual users, such as name, email address, and phone number. A new user pool has a set of default standard attributes.
Security misconfiguration #3: Privilege escalation through writable user attributes You can also add custom attributes to your user pool definition in the AWS Management Console.
Security misconfiguration #3: Privilege escalation through writable user attributes Unless set as readable only, the new custom attribute permission is writable by default which allows the user to update its value.
Security misconfiguration #3: Privilege escalation through writable user attributes 1. Fetching user attributes In order to test against this misconfiguration, you need to be authenticated then we’ll fetch the available user attributes using the generated access token (Check Authorization header). $ aws cognito-idp get-user --region <region> --access-token <access-token>
Security misconfiguration #3: Privilege escalation through writable user attributes 1. Fetching user attributes
Security misconfiguration #3: Privilege escalation through writable user attributes AWSCognitoIdentityProviderService.GetUser 1. Fetching user attributes Look out for custom attributes such as: custom:isAdmin custom:userRole custom:isActive custom:isApproved custom:accessLevel
Security misconfiguration #3: Privilege escalation through writable user attributes 2. Updating user attributes $ aws cognito-idp update-user-attributes --access-token <access-token> --region <region> --user-attributes Name="<attribute-name>", Value="<new-value>" AWSCognitoIdentityProviderService.UpdateUserAttributes
Security misconfiguration #3: Privilege escalation through writable user attributes
Security misconfiguration #4: Updating email attribute before verification There scenarios where the user isn’t allowed to update their email address due to both client and server-side security controls. However, by leveraging Cognito API, it might also be possible to bypass this restriction. $ aws cognito-idp update-user-attributes --access-token <access-token> --region <region> --user-attributes Name="email", Value="<new-email-address>"
This is especially bad when verification isn’t required. If the email is relied upon for authorization and access control, this will result in horizontal and vertical privilege escalation. Security misconfiguration #4: Updating email attribute before verification
Even with email verification enabled, most applications will update the email attribute value to the new unverified email address. Security misconfiguration #4: Updating email attribute before verification
This is bad because the user will be still be able to login and obtain an authenticated access token using the unverified email address. Many application do not necessarily check if email_verified is set to True or False. Therefore, this would bypass any security controls that relies on email domain for authorization, hence privilege escalation. Security misconfiguration #4: Updating email attribute before verification
AWS has introduced a new security configuration to mitigate this issue, so if you have Keep original attribute value active when an update is pending explicitly enabled the email attribute will not be updated to the new email address until it is verified. This is a new security configuration that was only introduced after June 2022 which means a lot of applications might still be misconfigured. Security misconfiguration #4: Updating email attribute before verification
https://hackerone.com/reports/1342088 Security misconfiguration #4: Updating email attribute before verification
1. User victim email is: jack@domain.com 2. Updating email was not possible, but using Cognito API, researcher managed to update their email to Jack@domain.com Misconfigurations: ● Email attribute is writable so it’s possible to update it via Cognito API. ● Email attribute is case-sensitive which could have been set to insensitive from AWS console. 3. Attacker authenticates to Jack@domain.com Misconfigurations: ● email_verified attribute value wasn’t checked if it’s True. ● Keep original attribute value active when an update is pending wasn’t enabled. 4. Flickr normalizes Jack@domain.com email to jack@domain.com (victim) resulting in ATO. Security misconfiguration #4: Updating email attribute before verification
Recommendations for developers ● Remove sensitive details from server responses, including Cognito Identity Pool Id. ● Disable Signup on AWS Cognito if not required. ● Disable unauthenticated role if not required. ● Review IAM policy attached to the authenticated and unauthenticated role to ensure least privilege access. ● Evaluate all user attributes and disable writing permission if not necessary. ● Remember that the email attribute value may hold an unverified email address.
Thank you! Reach out on Twitter @yassineaboukir Or https://yassineaboukir.com

Recommandé

Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Amazon Web Services
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
Amazon Web Services
 
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Amazon Web Services
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Amazon Web Services
 
AWSM2C3.pptx
AWSM2C3.pptxAWSM2C3.pptx
AWSM2C3.pptx
RahulDange13
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
Amazon Web Services
 
Add User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon CognitoAdd User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon Cognito
Amazon Web Services
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
AWS User Group Kochi
 

Recommandé

Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Amazon Web Services
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
Amazon Web Services
 
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Amazon Web Services
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Amazon Web Services
 
AWSM2C3.pptx
AWSM2C3.pptxAWSM2C3.pptx
AWSM2C3.pptx
RahulDange13
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
Amazon Web Services
 
Add User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon CognitoAdd User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon Cognito
Amazon Web Services
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
AWS User Group Kochi
 
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
Amazon Web Services
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
Amazon Web Services
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...
Amazon Web Services
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Amazon Web Services
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Amazon Web Services
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon Web Services
 
Serverless Authentication and Authorisation
Serverless Authentication and AuthorisationServerless Authentication and Authorisation
Serverless Authentication and Authorisation
Amazon Web Services
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
ijtsrd
 
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Amazon Web Services
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutes
Vladimir Budilov
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Amazon Web Services
 
Getting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesGetting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar Series
Amazon Web Services
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Amazon Web Services
 
Certification authority
Certification authorityCertification authority
Certification authority
proser tech
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
Rubersy Ramos García
 
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Web Services
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Amazon Web Services
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
AshKhan85
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Zilliz
 

Contenu connexe

Similaire à NahamConEU2022.pdf

Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
Amazon Web Services
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon Web Services
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
ijtsrd
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutes
Vladimir Budilov
 
Getting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesGetting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar Series
Amazon Web Services
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Web Services
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
AshKhan85
 

Similaire à NahamConEU2022.pdf (20)

[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
 
Serverless Authentication and Authorisation
Serverless Authentication and AuthorisationServerless Authentication and Authorisation
Serverless Authentication and Authorisation
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
 
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutes
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
 
Getting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesGetting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar Series
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
 
Certification authority
Certification authorityCertification authority
Certification authority
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
 
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Dernier (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

NahamConEU2022.pdf

  • 1. Hunting For AWS Cognito Security Misconfigurations Yassine Aboukir (@yassineaboukir)
  • 2. Introduction Yassine Aboukir (@yassineaboukir) ● Application security consultant. ● Pentester at HackerOne. ● Bug Bounties (since 2014): HackerOne Top 20, H1-303 MVH & 1st place. ● ex- HackerOne Triage (2017 - 2019). ● Digital nomad (5 years & Over 40 countries).
  • 3. Introduction to AWS Cognito With Amazon Cognito, you can add user sign-up and sign-in features and control access to your web and mobile applications. Amazon Cognito provides an identity store that scales to millions of users, supports social and enterprise identity federation, and offers advanced security features to protect your consumers and business. Source: https://aws.amazon.com/cognito/
  • 4. Introduction to AWS Cognito Amazon Cognito makes it easier for you to manage user identities, authentication, and permissions. It consists of two main components: ● User Pools: allow sign-in and sign-up functionality. ● Identity Pools: allow authenticated and unauthenticated users to access AWS resources using temporary AWS credentials.
  • 5. Introduction to AWS Cognito Source: https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/
  • 6. How to tell if an application is using Amazon Cognito? API calls to AWS Cognito API endpoint ● Yellow: API calls to user pool. ● Green: API calls to identity pool.
  • 7. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user To generate the AWS credentials, we need to find Identity Pool ID which is usually hardcoded in the source code, in a bundled JS file or in HTTP response. Other useful information that you can find: ● Client ID ● User Pool ID ● Region Identity Pool ID Client ID User Pool ID Region
  • 8. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Using Burpsuite, search for a variation of the following keywords in the HTTP history: Aws_cognito_identity_pool_id identityPoolId cognitoIdentityPoolId userPoolWebClientId userPoolId aws_user_pools_id These hardcoded IDs aren’t considered sensitive on their own!
  • 9. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Next step is to use the Pool Identity ID to generate an Identity ID. Use AWS-Cli (https://github.com/aws/aws-cli) as follows: $ aws cognito-identity get-id --identity-pool-id <identity-pool-id> --region <region>
  • 10. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Next step is to use the previous Identity ID to generate AWS credentials. Use AWS Cli as follows: $ aws cognito-identity get-credentials-for-identity --identity-id <identity-id> --region <region>
  • 11. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user Now, we can enumerate permissions associated with these credentials using a tool such as: ● Enumerate-iam: https://github.com/andresriancho/enumerate-iam ● Scout Suite: https://github.com/nccgroup/ScoutSuite $ ./enumerate-iam.py --access-key <AccessKeyID> --secret-key <SecretKey> --session-token <SessionToken> Enumerated permissions
  • 12. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 1. Try to fetch temporary AWS credentials using unauthenticated user You could enumerate all sort of permissions that allows unauthenticated user to access AWS services: ● dynamodb.list_backups() ● dynamodb.list_tables() ● lambda.list_functions() ● s3.list_buckets() ● etc.
  • 13. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials If the unauthenticated role is explicitly disabled. You’ll will receive similar error: NotAuthorizedException: Unauthenticated access is not supported for this identity pool.
  • 14. Security misconfiguration #1: Unauthorized access to AWS services due to Liberal AWS Credentials 2. Try to fetch temporary AWS credentials using authenticated user Assuming unauthenticated user is disabled and you either can sign up or have access to an authenticated account. Observe the HTTP traffic upon successful authentication: Id_token is exchanged for temporary AWS credentials: ● AccessKeyId ● SecretKey ● SessionToken
  • 15. Security misconfiguration #2: Authentication bypass due to enabled Signup API action Applications not offering user signup and only supporting administrative provision of accounts could be vulnerable as a result of not disabling signup API action. This includes admin login portals which implement AWS cognito allowing authentication bypass as a result.
  • 16. Security misconfiguration #2: Authentication bypass due to enabled Signup API action Self-registration enabled by default when creating a new user pool
  • 17. Security misconfiguration #2: Authentication bypass due to enabled Signup API action We only need the client ID and region to test against the self-registration. $ aws cognito-idp sign-up --client-id <client-id> --username <email-address> --password <password> --region <region> Successful singup Failed signup
  • 18. Security misconfiguration #2: Authentication bypass due to enabled Signup API action We only need the client ID and region to test against the self-registration. AWSCognitoIdentityProviderService.SignUp
  • 19. Security misconfiguration #2: Authentication bypass due to enabled Signup API action In case of a successful self-registration, a 6 digits confirmation code will be delivered to the attacker’s email address. $ aws cognito-idp confirm-sign-up --client-id <client-id> --username <email-address> --confirmation-code <confirmation-code> --region <region> You’ll need to confirm the account next.
  • 20. Security misconfiguration #2: Authentication bypass due to enabled Signup API action You can also directly call the Cognito API endpoint as follows: AWSCognitoIdentityProviderService.ConfirmSignUp
  • 21. Security misconfiguration #2: Authentication bypass due to enabled Signup API action Sometimes, you might successfully be able to signup and register an account but it doesn’t have any user group assigned. However, you will be able to obtain temporary AWS credentials which you can test against liberal permissions as we explained earlier.
  • 22. Security misconfiguration #3: Privilege escalation through writable user attributes Attributes are pieces of information that help you identify individual users, such as name, email address, and phone number. A new user pool has a set of default standard attributes.
  • 23. Security misconfiguration #3: Privilege escalation through writable user attributes You can also add custom attributes to your user pool definition in the AWS Management Console.
  • 24. Security misconfiguration #3: Privilege escalation through writable user attributes Unless set as readable only, the new custom attribute permission is writable by default which allows the user to update its value.
  • 25. Security misconfiguration #3: Privilege escalation through writable user attributes 1. Fetching user attributes In order to test against this misconfiguration, you need to be authenticated then we’ll fetch the available user attributes using the generated access token (Check Authorization header). $ aws cognito-idp get-user --region <region> --access-token <access-token>
  • 26. Security misconfiguration #3: Privilege escalation through writable user attributes 1. Fetching user attributes
  • 27. Security misconfiguration #3: Privilege escalation through writable user attributes AWSCognitoIdentityProviderService.GetUser 1. Fetching user attributes Look out for custom attributes such as: custom:isAdmin custom:userRole custom:isActive custom:isApproved custom:accessLevel
  • 28. Security misconfiguration #3: Privilege escalation through writable user attributes 2. Updating user attributes $ aws cognito-idp update-user-attributes --access-token <access-token> --region <region> --user-attributes Name="<attribute-name>", Value="<new-value>" AWSCognitoIdentityProviderService.UpdateUserAttributes
  • 29. Security misconfiguration #3: Privilege escalation through writable user attributes
  • 30. Security misconfiguration #4: Updating email attribute before verification There scenarios where the user isn’t allowed to update their email address due to both client and server-side security controls. However, by leveraging Cognito API, it might also be possible to bypass this restriction. $ aws cognito-idp update-user-attributes --access-token <access-token> --region <region> --user-attributes Name="email", Value="<new-email-address>"
  • 31. This is especially bad when verification isn’t required. If the email is relied upon for authorization and access control, this will result in horizontal and vertical privilege escalation. Security misconfiguration #4: Updating email attribute before verification
  • 32. Even with email verification enabled, most applications will update the email attribute value to the new unverified email address. Security misconfiguration #4: Updating email attribute before verification
  • 33. This is bad because the user will be still be able to login and obtain an authenticated access token using the unverified email address. Many application do not necessarily check if email_verified is set to True or False. Therefore, this would bypass any security controls that relies on email domain for authorization, hence privilege escalation. Security misconfiguration #4: Updating email attribute before verification
  • 34. AWS has introduced a new security configuration to mitigate this issue, so if you have Keep original attribute value active when an update is pending explicitly enabled the email attribute will not be updated to the new email address until it is verified. This is a new security configuration that was only introduced after June 2022 which means a lot of applications might still be misconfigured. Security misconfiguration #4: Updating email attribute before verification
  • 35. https://hackerone.com/reports/1342088 Security misconfiguration #4: Updating email attribute before verification
  • 36. 1. User victim email is: jack@domain.com 2. Updating email was not possible, but using Cognito API, researcher managed to update their email to Jack@domain.com Misconfigurations: ● Email attribute is writable so it’s possible to update it via Cognito API. ● Email attribute is case-sensitive which could have been set to insensitive from AWS console. 3. Attacker authenticates to Jack@domain.com Misconfigurations: ● email_verified attribute value wasn’t checked if it’s True. ● Keep original attribute value active when an update is pending wasn’t enabled. 4. Flickr normalizes Jack@domain.com email to jack@domain.com (victim) resulting in ATO. Security misconfiguration #4: Updating email attribute before verification
  • 37. Recommendations for developers ● Remove sensitive details from server responses, including Cognito Identity Pool Id. ● Disable Signup on AWS Cognito if not required. ● Disable unauthenticated role if not required. ● Review IAM policy attached to the authenticated and unauthenticated role to ensure least privilege access. ● Evaluate all user attributes and disable writing permission if not necessary. ● Remember that the email attribute value may hold an unverified email address.
  • 38. Thank you! Reach out on Twitter @yassineaboukir Or https://yassineaboukir.com