AWS - Cognito Unauthenticated Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Unauthenticated Cognito

Cognito is an AWS service that enable developers to grant their app users access to AWS services. Developers will grant IAM roles to authenticated users in their app (potentially people willbe able to just sign up) and they can also grant an IAM role to unauthenticated users.

For basic info about Cognito check:

pageAWS - Cognito Enum

Pacu modules for pentesting and enumeration

Pacu, the AWS exploitation framework, now includes the "cognito__enum" and "cognito__attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.

For a description of the modules' functions see part 2 of the blog post. For installation instructions see the main Pacu page.

Usage

Sample cognito__attack usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:

Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools 
us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients 
59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX

Sample cognito__enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account:

Pacu (new:test) > run cognito__enum

Identity Pool ID

Identity Pools can grant IAM roles to unauthenticated users that just know the Identity Pool ID (which is fairly common to find), and attacker with this info could try to access that IAM role and exploit it. Moreoever, IAM roles could also be assigned to authenticated users that access the Identity Pool. If an attacker can register a user or already has access to the identity provider used in the identity pool you could access to the IAM role being given to authenticated users and abuse its privileges.

Check how to do that here.

User Pool ID

By default Cognito allows to register new user. Being able to register a user might give you access to the underlaying application or to the authenticated IAM access role of an Identity Pool that is accepting as identity provider the Cognito User Pool. Check how to do that here.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Cloudfront Unauthenticated Enum NextAWS - CodeBuild Unauthenticated Access

Last updated 2 months ago