Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/update cognito attack #406

Merged
merged 30 commits into from
Mar 22, 2024
Merged

Feature/update cognito attack #406

merged 30 commits into from
Mar 22, 2024

Conversation

EduardSchwarzkopf
Copy link
Contributor

Summary

I've encountered an issue in the cognito__attack module of the Pacu framework — when attempting to exploit the vulnerable_cognito user pool, the script requests the familyName and givenName attributes repeatedly without progressing.

Upon running the cognito__attack, the module falls into a loop, asking for the name.familyName and name.givenName even after supplying the correct values. Additionally, it gives an error saying "Username should be an email," suggesting a deeper issue with how user attributes are handled.

It turns out the expected attribute keys should be family_name and given_name, not familyName and givenName.

Example code:

run cognito__attack --username [email protected] --email [email protected] --user_pool_clients 52077oo7e3h4fmklumdt4gn0ou@us-east-1_GUKqIkgg2
  Running module cognito__attack...
[cognito__attack] Attempting to sign up user in user pool client 52077oo7e3h4fmklumdt4gn0ou in region us-east-1 . . . 
[]
[email protected]
User attributes specified.
An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.givenName: The attribute name.givenName is required, name.familyName: The attribute name.familyName is required
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.givenName: The attribute name.givenName is required, name.familyName: The attribute name.familyName is required
Please enter the name of the invalid parameter: name.familyName
Please enter the value of the invalid parameter: Doe
[{'Name': 'email', 'Value': '[email protected]'}]
[email protected]
User attributes specified.
An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Please enter the name of the invalid parameter: name.givenName
Please enter the value of the invalid parameter: John
[{'Name': 'email', 'Value': '[email protected]'}, {'Name': 'email', 'Value': '[email protected]'}]
[email protected]
User attributes specified.
An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Please enter the name of the invalid parameter: username

Changes

  • added user_attributes parameter and logic
  • updated logic to handle the described issue
  • flake8 updates

Additional Notes

I have not seen any test that I could provide so I didn't. All of my manual testing was OK, but this needs to be tested by somebody else as well.

EduardSchwarzkopf and others added 25 commits February 17, 2024 19:09
@EduardSchwarzkopf
add typing
ebaceb1
@EduardSchwarzkopf
add user_attributes parameter
a0bb0d2
@EduardSchwarzkopf
add user attribute logic
bc66c12
@EduardSchwarzkopf
sourcery suggestion added
e2b92b0
@EduardSchwarzkopf
add email_exist check, to avoid adding email attribute each time
a686e63
@EduardSchwarzkopf
sourcery suggestion added
e1e82c0
@EduardSchwarzkopf
remove unused variable assignment
182a141
@EduardSchwarzkopf
add instruction to prompt
dda8662
@EduardSchwarzkopf
autoformatting
5957732
@EduardSchwarzkopf
autoformatting
a6442de
@EduardSchwarzkopf
update InvalidParameterException handling
63cd1d0
@EduardSchwarzkopf
flake8 - add error_code variable
81b68e9
@EduardSchwarzkopf
flake8 - update imports
cf3ac03
@EduardSchwarzkopf
flake8 - line too long fix
c684cf4
@EduardSchwarzkopf
flake8 - remove unused variable
d13e45b
@EduardSchwarzkopf
flake8 - add Exception
9877c69
@EduardSchwarzkopf
flake8 - line too long
bf8dad8
@EduardSchwarzkopf
flake8 - remove unused variable
a2d204a
@EduardSchwarzkopf
flake8 - move print to input
794c54a
@EduardSchwarzkopf
flake8 - remove unused variable
b177f5c
@EduardSchwarzkopf
flake8 - f-string missing placeholder fix
d6f355d
@EduardSchwarzkopf
flake8 - remove unused variable
50cf380
@EduardSchwarzkopf
flake8 - remove unused variable
2dc3e5f
@EduardSchwarzkopf
flake8 - f-string missing placeholder fix
3b6acd5
@DaveYesland
Merge branch 'master' into feature/update-cognito__attack
82e168b
@davidkutz-marks
Copy link
Contributor

davidkutz-marks commented Mar 15, 2024
edited
Loading

Thanks for the PR, Eduard! It is indeed clear that some change outside the Cognito main.py, whether in Pacu itself, Pacu dependencies, Cloudgoat, AWS code, or boto3, has resulted in duplicative "email" attributes when attempting to specify a username after beginning with "email" instead. I will work on fixing that now.

As far as your PR, I am running into the following error when beginning with "username" for vulnerable_cognito. The error does not occur in the Rhino master branch, where everything works fine. Here's the error. Could you take a look? in the meantime I will fix the "email" duplication/username issue.

Error:

My input:

run cognito__attack --username [email protected] --identity_pools us-east-1:REDACTED --user_pool_clients REDACTED@us-east-1_REDACTED

Your PR tree's response:

eu-south-2
us-east-1
Continue? (y/n) y
[cognito__attack] Attempting unauthenticated retrieval of identity Id credentials
[cognito__attack] NotAuthorizedException
[cognito__attack] Skipping identity pool enumeration...
[cognito__attack] Attempting to sign up user in user pool client REDACTED in region us-east-1 . . .
[]
False
User attributes specified.
Error signing up user [email protected]: Parameter validation failed:
Invalid type for parameter UserAttributes[0].Value, value: False, type: <class 'bool'>, valid types: <class 'str'>
List all custom attributes for all users in all user pools (y/n)?

@EduardSchwarzkopf
Copy link
Contributor Author

EduardSchwarzkopf commented Mar 16, 2024
edited
Loading

@davidkutz-marks I've updated the code. The duplication of the email attribute is also fixed with this.
I've also reverted my changes to the master branch and simplified the code since the correct attributes are now presented to the user.

I've encountered another issue when you don't specify a username in the run command, but later in the input. I will create an issue for this sometime later in a PR.

EDIT:
issue - #412

@DaveYesland DaveYesland merged commit 8544ac5 into RhinoSecurityLabs:master Mar 22, 2024
3 checks passed
@EduardSchwarzkopf EduardSchwarzkopf deleted the feature/update-cognito__attack branch March 23, 2024 05:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidkutz-marks davidkutz-marks davidkutz-marks approved these changes

Assignees

@davidkutz-marks davidkutz-marks

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@EduardSchwarzkopf @davidkutz-marks @DaveYesland