Closed EduardSchwarzkopf closed 5 months ago
Thanks for the PR, Eduard! It is indeed clear that some change outside the Cognito main.py, whether in Pacu itself, Pacu dependencies, Cloudgoat, AWS code, or boto3, has resulted in duplicative "email" attributes when attempting to specify a username after beginning with "email" instead. I will work on fixing that now.
As far as your PR, I am running into the following error when beginning with "username" for vulnerable_cognito. The error does not occur in the Rhino master branch, where everything works fine. Here's the error. Could you take a look? in the meantime I will fix the "email" duplication/username issue.
Error:
My input:
run cognito__attack --username REDACTED+92@gmail.com --identity_pools us-east-1:REDACTED --user_pool_clients REDACTED@us-east-1_REDACTED
Your PR tree's response:
eu-south-2 us-east-1 Continue? (y/n) y [cognitoattack] Attempting unauthenticated retrieval of identity Id credentials [cognitoattack] NotAuthorizedException [cognitoattack] Skipping identity pool enumeration... [cognitoattack] Attempting to sign up user in user pool client REDACTED in region us-east-1 . . . [] False User attributes specified. Error signing up user REDACTED+92@gmail.com: Parameter validation failed: Invalid type for parameter UserAttributes[0].Value, value: False, type: <class 'bool'>, valid types: <class 'str'> List all custom attributes for all users in all user pools (y/n)?
@davidkutz-marks I've updated the code. The duplication of the email attribute is also fixed with this. I've also reverted my changes to the master branch and simplified the code since the correct attributes are now presented to the user.
I've encountered another issue when you don't specify a username in the run command, but later in the input. I will create an issue for this sometime later in a PR.
EDIT: issue - https://github.com/RhinoSecurityLabs/pacu/issues/412
Summary
I've encountered an issue in the
cognito__attack
module of the Pacu framework — when attempting to exploit thevulnerable_cognito
user pool, the script requests thefamilyName
andgivenName
attributes repeatedly without progressing.Upon running the
cognito__attack
, the module falls into a loop, asking for thename.familyName
andname.givenName
even after supplying the correct values. Additionally, it gives an error saying "Username should be an email," suggesting a deeper issue with how user attributes are handled.It turns out the expected attribute keys should be
family_name
andgiven_name
, notfamilyName
andgivenName
.Example code:
Changes
Additional Notes
I have not seen any test that I could provide so I didn't. All of my manual testing was OK, but this needs to be tested by somebody else as well.