vulnerable_cognito: Admin page exposes Identity Pool STS credentials to any authenticated user (unintended privilege escalation path)

[Ojasveer955]

Summary

While working through the vulnerable_cognito scenario, I discovered an unintended privilege escalation path.

Any authenticated and confirmed user can access the /admin.html page and get the Identity Pool STS credentials without needing to exploit the intended Cognito attribute‑escalation vulnerability.

This bypasses the intended learning flow described in the README and cheat sheet, where the user must first update a custom Cognito attribute (custom:access=reader) to request Identity Pool STS credentials.

In practice, the admin endpoint does not validate these attributes at all, and every authenticated user receives the same Cognito Identity Pool credentials and IAM role.

This effectively collapses the scenario from two misconfigurations down to only one.

---

Environment

• CloudGoat version: 2.3.0
• Scenario: vulnerable_cognito
• Region: us-east-1
• User: freshly created Cognito user with no custom admin attributes set

---

Steps to Reproduce (Unintended Path)

1. Deploy vulnerable_cognito via CloudGoat as instructed.
2. Sign up and confirm via AWS CLI to bypass the client-side restrictions.

aws cognito-idp sign-up --client-id [Client-Id] --username [test_emaill_id] --password [password] --region us-east-1 --user-attributes '[{"Name": "given_name", "Value": "John"}, {"Name": "family_name", "Value": "Doe"}]'

aws cognito-idp confirm-sign-up --client-id [Client-Id] --username [test_email_id] --confirmation-code [Code] --region us-east-1

3. Log in via the UI. We are directed to /reader.html. Navigate to /admin.html page.
4. Open Dev Tools -> Network. Refresh the admin page to see all network requests.
5. Observe that:

• The admin endpoint is accessible without any admin attributes.
• The response (from aws-sdk.js XHR request) contains AWS STS credentials, including:
  • AccessKeyId
  • SecretAccessKey
  • SessionToken

6. Export them to AWS CLI.
7. Enumerate AWS permissions associated with the obtained credentials via Pacu (iam__bruteforce_permissions module)
8. These permissions match the exact same role granted through the intended admin path.

ID token on the /reader.html page.

Decoding the ID token found on ./reader.html to confirm access level is reader.

Response from aws-sdk.js XHR network request shows the STS credentials and session token.

Pacu shows identical permissions, both for intended path creds and for unintended path creds.