Amazon Cognito subdomain takeover

EdOverflow / can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.

Creative Commons Attribution 4.0 International

4.56k stars 688 forks source link

Amazon Cognito subdomain takeover #358

Open Snoarlax opened 1 year ago

Snoarlax commented 1 year ago

Service name

Amazon Cognito

Proof

Find a domain of form "*.auth..amazoncognito.com" referenced in some app where it NXDOMAIN's when resolved
Create a Cognito user pool on any AWS account. Make sure the user pool is in the same region as the region specified in the previous domain name.
Under "App integration", create a cognito domain with the same subdomain as the vulnerable domain.

Documentation

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html "Setting up the hosted UI with the Amazon Cognito console"

Snoarlax commented 1 year ago

There are limitations: If we want to host a login page on the "*..amazoncognito.com" subdomain, we have to use the amazon hosted UI.

This is problematic from the perspective of the attacker, as we cannot run arbitrary JavaScript on the page. We can configure the redirect URL so it does have some potential impact for something along the lines of a phishing vector. I have not tested if we can extract passwords submitted to this form using a lambda either however.

I'd be keen on hearing your thoughts on whether this constitutes a valid subdomain takeover vector.

pdelteil commented 1 month ago

I don't think it's possible to perform a takeover since to delete the user pool it's required to remove custom domains.

Also, cloudfront.net domain is used as an alias, working as a intermediate domain between the Cognito custom domain and the user/company custom domain.