-
Notifications
You must be signed in to change notification settings - Fork 702
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue 412 username overwrite #413
Issue 412 username overwrite #413
Conversation
Thanks again Eduard! Code looks good at a glance (only noticed that "response" is misspelled" resposne" on 409, 417 and 442) but there still seems to be some variation on the original username overwriting. Here's the error I get during testing, along with stacktrace pointing back to 442 (aws.authenticate_user()). Note that the error occurs for me whether I set the email value to the same as the username value or leave it blank. Tomorrow I'll make sure my identity pool and other details are same as before to ensure the error isn't on my end. Just wanted to reach out after finally getting to this PR! Pacu (052024:No Keys Set) > import_keys default Enter value for given_name: tester Enter value for family_name: mester [2024-05-07 18:17:57] Pacu encountered an error while running the previous command. Check [redacted]/052024/error_log.txt for technical details. [LOG LEVEL: MINIMAL]
File "[redacted]/052024/pacu/pacu/modules/cognito__attack/main.py", line 442, in main |
I encountered a little issue, where the user was already registered, but not confirmed yet. I've added the exception handling, so you can get a new token if you want to retry with the same user. As for your provided exception, I could not recreate it. > import_keys default
Imported keys as "imported-default"
Pacu (test:imported-default) > run cognito__attack --username random --email [email protected] --identity_pools us-east-1:[redacted] --user_pool_clients [redacted]@us-east-1_[redacted]
Running module cognito__attack...
Automatically targeting regions:
ap-northeast-1
eu-central-1
eu-north-1
eu-south-1
me-south-1
sa-east-1
us-east-2
us-gov-east-1
us-gov-west-1
us-west-1
ap-east-1
ap-northeast-2
ap-northeast-3
ap-south-1
ap-southeast-1
ap-southeast-3
cn-north-1
eu-west-1
eu-west-3
il-central-1
af-south-1
ap-south-2
ap-southeast-2
ca-central-1
ca-west-1
cn-northwest-1
eu-central-2
eu-west-2
me-central-1
us-west-2
ap-southeast-4
eu-south-2
us-east-1
Continue? (y/n) y
[cognito__attack] Attempting unauthenticated retrieval of identity Id credentials
[cognito__attack] NotAuthorizedException
[cognito__attack] Skipping identity pool enumeration...
[cognito__attack] Attempting to sign up user in user pool client [redacted] in region us-east-1 . . .
An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Please enter the name of the invalid parameter: username
Please enter the value of the invalid parameter: [email protected]
An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.givenName: The attribute name.givenName is required, name.familyName: The attribute name.familyName is required
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.givenName: The attribute name.givenName is required, name.familyName: The attribute name.familyName is required
Please enter the name of the invalid parameter: given_name
Please enter the value of the invalid parameter: test
An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.familyName: The attribute name.familyName is required
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.familyName: The attribute name.familyName is required
Please enter the name of the invalid parameter: family_name
Please enter the value of the invalid parameter: test
Successfully signed up user [email protected].
Enter verification code for user [email protected] in user pool client [redacted]: 286306
Successfully verified user [email protected]
[cognito__attack] You're signed in as [email protected]!
[cognito__attack] Your access token is: [redacted]
[cognito__attack] Your ID token is: [redacted]
[cognito__attack] Your refresh token is: [redacted]
[cognito__attack] Your token type is: Bearer
Attempting authenticated retrieval of identity Id
Identity ID: {'IdentityId': 'us-east-1:[redacted]', 'ResponseMetadata': {'RequestId': 'c3e787c1-e195-47dc-98a3-d54caabe3375', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Thu, 09 May 2024 12:20:16 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '63', 'connection': 'keep-alive', 'x-amzn-requestid': 'c3e787c1-e195-47dc-98a3-d54caabe3375', 'strict-transport-security': 'max-age=31536000; includeSubDomains'}, 'RetryAttempts': 0}}
Attempting authenticated retrieval of temporary credentials
Access Key ID found.
[redacted]
Secret Key found.
[redacted]
Session Token found.
[redacted]
Expiration found.
2024-05-09 15:20:16+02:00
[cognito__attack] Temporary credentials retrieved!
[cognito__attack] {
"Region": "us-east-1",
"IdentityPoolId": "us-east-1:[redacted]",
"AccessKeyId": "[redacted]",
"SecretKey": "[redacted]",
"SessionToken": "[redacted]",
"Expiration": "2024-05-09 15:20:16+02:00"
}
Custom attribute(s) found! Changing these may lead to privilege escalation.
Changing basic attributes such as email may lead to account takeover if they are used to identify users.
Printing all current attributes:
[{'Name': 'email', 'Value': '[email protected]'}, {'Name': 'email_verified', 'Value': 'true'}, {'Name': 'family_name', 'Value': 'test'}, {'Name': 'given_name', 'Value': 'test'}, {'Name': 'custom:access', 'Value': 'reader'}, {'Name': 'sub', 'Value': '14e87468-70d1-70ac-e432-767ab21506ac'}] |
Running into what is probably a list/dictionary mixup now, naybe caused by the BaseClient addition you just made: Enter verification code for user [email protected] in user pool client 3lotnnp48p5t6ikj8r97lnb0dt: 010749 [2024-05-24 16:49:55] Pacu encountered an error while running the previous command. Check /root/.local/share/pacu/05242024/error_log.txt for technical details. [LOG LEVEL: MINIMAL]
Traceback (most recent call last): |
Will take a look |
alight, the problem was that the tokens were missing after a failed authentication attempt. I've added my function for this now and added an abort statement if the authentication fails. This can be because of use aborted the process or the function encountered any other issue. |
I was able to run through this with no errors will merge this. @davidkutz-marks if you want to double check that would be great. @EduardSchwarzkopf thanks for the fixes and work on this! |
This should cover the issue #412