Summary
While working through the vulnerable_cognito scenario, I discovered an unintended privilege escalation path.
Any authenticated and confirmed user can access the /admin.html page and get the Identity Pool STS credentials without needing to exploit the intended Cognito attribute‑escalation vulnerability.
This bypasses the intended learning flow described in the README and cheat sheet, where the user must first update a custom Cognito attribute (custom:access=reader) to request Identity Pool STS credentials.
In practice, the admin endpoint does not validate these attributes at all, and every authenticated user receives the same Cognito Identity Pool credentials and IAM role.
This effectively collapses the scenario from two misconfigurations down to only one.
Environment
- CloudGoat version: 2.3.0
- Scenario:
vulnerable_cognito
- Region: us-east-1
- User: freshly created Cognito user with no custom admin attributes set
Steps to Reproduce (Unintended Path)
- Deploy
vulnerable_cognito via CloudGoat as instructed.
- Sign up and confirm via AWS CLI to bypass the client-side restrictions.
aws cognito-idp sign-up --client-id [Client-Id] --username [test_emaill_id] --password [password] --region us-east-1 --user-attributes '[{"Name": "given_name", "Value": "John"}, {"Name": "family_name", "Value": "Doe"}]'
aws cognito-idp confirm-sign-up --client-id [Client-Id] --username [test_email_id] --confirmation-code [Code] --region us-east-1
- Log in via the UI. We are directed to
/reader.html. Navigate to /admin.html page.
- Open Dev Tools -> Network. Refresh the admin page to see all network requests.
- Observe that:
- The admin endpoint is accessible without any admin attributes.
- The response (from
aws-sdk.js XHR request) contains AWS STS credentials, including:
AccessKeyIdSecretAccessKeySessionToken
- Export them to AWS CLI.
- Enumerate AWS permissions associated with the obtained credentials via Pacu (
iam__bruteforce_permissions module)
- These permissions match the exact same role granted through the intended admin path.
ID token on the /reader.html page.
Decoding the ID token found on ./reader.html to confirm access level is reader.
Response from aws-sdk.js XHR network request shows the STS credentials and session token.
Pacu shows identical permissions, both for intended path creds and for unintended path creds.
Summary
While working through the
vulnerable_cognitoscenario, I discovered an unintended privilege escalation path.Any authenticated and confirmed user can access the /admin.html page and get the Identity Pool STS credentials without needing to exploit the intended Cognito attribute‑escalation vulnerability.
This bypasses the intended learning flow described in the README and cheat sheet, where the user must first update a custom Cognito attribute (
custom:access=reader) to request Identity Pool STS credentials.In practice, the admin endpoint does not validate these attributes at all, and every authenticated user receives the same Cognito Identity Pool credentials and IAM role.
This effectively collapses the scenario from two misconfigurations down to only one.
Environment
vulnerable_cognitoSteps to Reproduce (Unintended Path)
vulnerable_cognitovia CloudGoat as instructed.aws cognito-idp sign-up --client-id [Client-Id] --username [test_emaill_id] --password [password] --region us-east-1 --user-attributes '[{"Name": "given_name", "Value": "John"}, {"Name": "family_name", "Value": "Doe"}]'aws cognito-idp confirm-sign-up --client-id [Client-Id] --username [test_email_id] --confirmation-code [Code] --region us-east-1/reader.html. Navigate to/admin.htmlpage.aws-sdk.jsXHR request) contains AWS STS credentials, including:AccessKeyIdSecretAccessKeySessionTokeniam__bruteforce_permissionsmodule)ID token on the
/reader.htmlpage.Decoding the ID token found on
./reader.htmlto confirm access level isreader.Response from aws-sdk.js XHR network request shows the STS credentials and session token.
Pacu shows identical permissions, both for intended path creds and for unintended path creds.