OWASP 20th Anniversary - AWS (Mis)configuration from attacker’s eye-view

Transcript

1. Kavisha Sheth AWS (Mis)configuration from attacker’s eye-view

2. AWS (Mis)configuration from attacker’s eye-view About me • Security Analyst

   @Appsecco. • Listed as among top security researcher of the nation by NCIIPC. • Curious person • International speaker who talks around Cloud security , API security and Modern web-application.

3. AWS (Mis)configuration from attacker’s eye-view What’s all about? • AWS

   Cognito Misconfiguration. • S3 Misconfiguration that attackers love. • Misconfigured IAM Policy. • EC2 MIsconfigurations. • How HTML injections can help to get AWS credentials.

4. AWS (Mis)configuration from attacker’s eye-view AWS Cognito (Mis)configuration

5. AWS (Mis)configuration from attacker’s eye-view AWS Cognito working https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html

6. AWS (Mis)configuration from attacker’s eye-view User Pools & Federated Identity

   Pools https://serverless-stack.com/chapters/cognito-user-pool-vs-identity-pool.html 1. User authenticates against a user pool. 2. The user pool assigns 3 JWT tokens (Id, Access, and Refresh) to the user. 3. The ID JWT is passed to the identity pool in order to receive temporary AWS credentials with roles assigned to the identity provider. 4. The user can then make calls to AWS services based on their privileges. Amazon Cognito has authenticated and unauthenticated mode to generate AWS temporary credentials for users.

7. What are the possible attack vectors? • Misconfigured AWS Cognito

   Attributes. • Hardcoded Identity Pool ID. • AWS cognito misconfigured to allow sign up of new user. • Identity Pool ID present in HTTP response. • Liberal AWS permissions has been assigned. AWS (Mis)configuration from attacker’s eye-view

8. AWS (Mis)configuration from attacker’s eye-view Hardcoded Identity Pool ID Identity

   Pool Id getting disclosed in HTTP Response

9. How the disclosure of App Client ID, User Pool ID,

   Identity Pool ID, and Region information can help? How can I try to exploit? AWS (Mis)configuration from attacker’s eye-view

10. Try to fetch Temporary credential Using Python script Generate the

    temporary credentials through Boto3 script API call to look into HTTP request for to get IdentityID from IdentityPoolID API call: AWSCognitoIdentityService .GetCredentialsIdentity API call to look for in HTTP request to fetch temporary credentials after knowing IdentityID API call: AWSCognitoIdentityService.GetCred entialsIdentity Using Burpsuite A B AWS (Mis)configuration from attacker’s eye-view 1 2

11. AWS (Mis)configuration from attacker’s eye-view • Check if application exposed

    some functionalities unintentionally via AWS Cognito misconfiguration. for example, AppClientId disclosed. • Check if the confirmation email was sent to the attacker specified email along with the confirmation code. • Check if the user account can be confirmed from the token received on the registered email. • Check if Application validated a newly created user and returned access tokens. • Authenticated access and ID token. These values could be used to generate temporary AWS credentials for authenticated identities. What if access to unauthenticated identities was disabled ?

12. • Sensitive details present in server responses, including Cognito Identity

    Pool Id. • AWS cognito misconfigured to allow sign up of new user. • Providing the liberal AWS permissions and that allows an unauthenticated user to access sensitive AWS services. • Improper validation for Identity ID and allow to fetch temporary credentials What can go wrong ? AWS (Mis)configuration from attacker’s eye-view

13. AWS (Mis)configuration from attacker’s eye-view S3 (Mis)configuration

14. 1. Allowing public access to bucket. 2.Defining “Full control” access

    to Authenticated AWS Users group. 3.Defining Bucket with a “read access” policy. 4.Enabling “Write” access to the “Everyone” group. 5. Forgetting to encrypt your AWS resource. AWS (Mis)configuration from attacker’s eye-view

15. Finding S3 Bucket • Google search • Google dork •

    Shodan • Censys • Use discovery (OSINT) tools – Sublist3r and Amass • Bruteforce name • Shodan, Certificate Transparency Logs, Censys, numerous bucket finder scripts, GrayHat Warfare bucket search AWS (Mis)configuration from attacker’s eye-view

16. Publicly available Google Dork AWS (Mis)configuration from attacker’s eye-view

17. https://sonraisecurity.com/blog/misconfigured-aws-s3-bucket-leads-to-data-breach/ AWS (Mis)configuration from attacker’s eye-view

18. How (Mis)configured IAM Policy allows least privilege user to get

    admin level access? AWS (Mis)configuration from attacker’s eye-view

19. AWS (Mis)configuration from attacker’s eye-view Overly permissive user policies

20. Approach AWS (Mis)configuration from attacker’s eye-view

21. 1. Multiple policy versions with overly permissive configuration for older

    version. 2. Overly permissive policy present. 3. Able to use overly permissive older version policy by making it as a default policy. What went wrong? AWS (Mis)configuration from attacker’s eye-view

22. EC2 (Mis)configuration AWS (Mis)configuration from attacker’s eye-view

23. • Is EC2 instance accessible to public user? • Is

    there any port open? • Is web application running on that EC2 instance ip address? • Is default configuration being used? What to look for? AWS (Mis)configuration from attacker’s eye-view

24. Finding EC2 instance AWS (Mis)configuration from attacker’s eye-view

25. Web application running on port 80 AWS (Mis)configuration from attacker’s

    eye-view

26. AWS (Mis)configuration from attacker’s eye-view

27. S3 related permission and sensitive information

28. AWS (Mis)configuration from attacker’s eye-view Approach

29. 1. Misconfigured firewall that allows EC2 instance publicly accessible. 2.

    Web Application hosted on EC2 instance doesn’t have input validation and trust on user supplied data to make requests from the server and that make web-application vulnerable to SSRF. 3. EC2 role with overly permissive policy. 4. Data storage in AWS S3 was not encrypted. 5. Storing credentials such as admin credentials in S3 bucket. What went wrong? AWS (Mis)configuration from attacker’s eye-view

30. AWS (Mis)configuration from attacker’s eye-view What are other attack vectors

    worth to look for • Public Snapshots • Non-public EC2 AMI • Encrypted AMI • Not using default VPC • EC2 Instance Not In Public Subnet • Unrestricted Outbound Access • EC2 Reserved Instance Payment Pending • Allowing meaningful ports to open without putting restrictions

31. How an attacker make use of HTML Injection to get

    AWS credentials ? AWS (Mis)configuration from attacker’s eye-view

32. https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90 AWS (Mis)configuration from attacker’s eye-view

33. Approach AWS (Mis)configuration from attacker’s eye-view

34. 1. The user provided data was being consumed were not

    output encoded and input is not being sanitized and that make application to vulnerable to HTML Injection attack and also confirm that vulnerable to SSRF attack. 3. AWS hosted web application, so try to access to a set of AWS access keys by accessing the AWS EC2 metadata service via a SSRF vulnerability. 4. Able to access EC2 metadata as usage of IMDVS1. What went wrong? AWS (Mis)configuration from attacker’s eye-view

35. • Improper credentials handling • Instance misconfiguration • S3 misconfiguration

    • Access control misconfiguration • Exposure of resources via firewall • Network security misconfiguration • Insecure custom applications • RDS Misconfigurations Misconfigurations that worth to look for AWS (Mis)configuration from attacker’s eye-view

36. Tools that can help to speedup procedure • Scoutesuite •

    Prowler • S3-inspector • Enumerate IAM • Bucket finder • Pacu • aws_escalate AWS (Mis)configuration from attacker’s eye-view

37. References • https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pools-identity-pools/ • https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html • https://dev.to/cloudanix/top-13-aws-ec2-misconfigurations-to-avoid-in-2021-29 • https://notsosecure.com/hacking-aws-cognito-misconfigurations/ •

    https://andresriancho.com/wp-content/uploads/2019/06/whitepaper-internet-scale-analysis-of-a ws-cognito-security.pdf • https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5 ec5d90 • https://github.com/appsecco/attacking-cloudgoat2 AWS (Mis)configuration from attacker’s eye-view

38. AWS (Mis)configuration from attacker’s eye-view Thank you https://www.linkedin.com/in/kavisha-sheth/ https://twitter.com/sheth_kavisha