pacu
pacu copied to clipboard
Published
20 hours ago •
RhinoSecurityLabs
RhinoSecurityLabs
Feature/update cognito attack
Summary
I've encountered an issue in the cognito__attack module of the Pacu framework — when attempting to exploit the vulnerable_cognito user pool, the script requests the familyName and givenName attributes repeatedly without progressing.
Upon running the cognito__attack, the module falls into a loop, asking for the name.familyName and name.givenName even after supplying the correct values. Additionally, it gives an error saying "Username should be an email," suggesting a deeper issue with how user attributes are handled.
It turns out the expected attribute keys should be family_name and given_name, not familyName and givenName.
Example code:
run cognito__attack --username [email protected] --email [email protected] --user_pool_clients 52077oo7e3h4fmklumdt4gn0ou@us-east-1_GUKqIkgg2
Running module cognito__attack...
[cognito__attack] Attempting to sign up user in user pool client 52077oo7e3h4fmklumdt4gn0ou in region us-east-1 . . .
[]
[email protected]
User attributes specified.
An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.givenName: The attribute name.givenName is required, name.familyName: The attribute name.familyName is required
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.givenName: The attribute name.givenName is required, name.familyName: The attribute name.familyName is required
Please enter the name of the invalid parameter: name.familyName
Please enter the value of the invalid parameter: Doe
[{'Name': 'email', 'Value': '[email protected]'}]
[email protected]
User attributes specified.
An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Please enter the name of the invalid parameter: name.givenName
Please enter the value of the invalid parameter: John
[{'Name': 'email', 'Value': '[email protected]'}, {'Name': 'email', 'Value': '[email protected]'}]
[email protected]
User attributes specified.
An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Please enter the name of the invalid parameter: username
Changes
- added user_attributes parameter and logic
- updated logic to handle the described issue
- flake8 updates
Additional Notes
I have not seen any test that I could provide so I didn't. All of my manual testing was OK, but this needs to be tested by somebody else as well.
