AWS - Cognito Enum
Cognito
Amazon Cognito is utilized for authentication, authorization, and user management in web and mobile applications. It allows users the flexibility to sign in either directly using a user name and password or indirectly through a third party, including Facebook, Amazon, Google, or Apple.
Central to Amazon Cognito are two primary components:
User Pools: These are directories designed for your app users, offering sign-up and sign-in functionalities.
Identity Pools: These pools are instrumental in authorizing users to access different AWS services. They are not directly involved in the sign-in or sign-up process but are crucial for resource access post-authentication.
User pools
To learn what is a Cognito User Pool check:
Cognito User PoolsIdentity pools
The learn what is a Cognito Identity Pool check:
Cognito Identity PoolsEnumeration
Identity Pools - Unauthenticated Enumeration
Just knowing the Identity Pool ID you might be able get credentials of the role associated to unauthenticated users (if any). Check how here.
User Pools - Unauthenticated Enumeration
Even if you don't know a valid username inside Cognito, you might be able to enumerate valid usernames, BF the passwords of even register a new user just knowing the App client ID (which is usually found in source code). Check how here.
Privesc
AWS - Cognito PrivescUnauthenticated Access
AWS - Cognito Unauthenticated EnumPersistence
AWS - Cognito PersistenceLast updated