💻
💻
💻
💻
cheat-sheets
Search…
Application Security Cheat Sheet
Android Application
Overview
Intent Vulnerabilities
WebView Vulnerabilities
Cloud
AWS
Amazon API Gateway
Amazon Cognito
Amazon S3
Container
Overview
Escaping
Container Analysis Tools
Framework
Spring
React
Linux
Overview
Bash Tips
iOS Application
Overview
Getting Started
Resources
Lists
Researching
Software
Training
Web Application
Abusing HTTP hop-by-hop Request Headers
Broken Authentication
Command Injection
Content Security Policy
Cookie Security
CORS Misconfiguration
File Upload Vulnerabilities
GraphQL Vulnerabilities
HTML Injection
HTTP Header Security
HTTP Request Smuggling
Improper Rate Limits
JavaScript Prototype Pollution
JSON Web Token Vulnerabilities
OAuth 2.0 Vulnerabilities
Race Condition
Server Side Request Forgery
Web Cache Poisoning
Powered By GitBook
Amazon Cognito

Amazon Cognito overview

Amazon Cognito provides authentication, authorization, and user management for customer's web and mobile applications. Users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google, Apple, or enterprise identity providers via SAML 2.0 and OpenID Connect.
The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for application users. Identity pools enable developers to grant users access to other AWS services.
What is Amazon Cognito? - Amazon Cognito
Amazon Cognito

How does Amazon Cognito work?

  1. 1.
    An user signs in through a user pool and receives user pool tokens (JWT tokens) after a successful authentication
  2. 2.
    An application exchanges the user pool tokens for AWS credentials through an identity pool
  3. 3.
    The user can use the AWS credentials to access other AWS services such as Amazon S3 or DynamoDB

Security issues

Leakage identity pool ID

Identity pool ID allows you to fetch temporary AWS credentials that may have extra AWS permissions. As a result, it may be possible to get unauthenticated access to sensitive AWS services.
Identity pool IDs can be stored client-side, for example within JavaScript, or returned in a response.
References:

Misconfigured user pool access

If an application allows writing user attributes of an internally used AWS user pool, it can be used to abuse the trust between the application and the pool. In other words, it is possible to change the attributes and issue the JWT token, that will be used by an application. For instance, if an application uses normalized emails (in lower case), you can change one letter in an email address to an upper-case equivalent and takeover an account.
References:

References

Previous
Amazon API Gateway
Next
Amazon S3
Last modified 4mo ago
Copy link
Outline
Amazon Cognito overview
How does Amazon Cognito work?
Security issues
Leakage identity pool ID
Misconfigured user pool access
References