pacu icon indicating copy to clipboard operation
pacu copied to clipboard

Published 20 hours ago verified publisher icon RhinoSecurityLabs

username overwrite

Open EduardSchwarzkopf opened this issue 11 months ago • 0 comments

Describe the Bug When you don't provide a username in the run command the signup function will then ask the user to provide a username, which is fine. But on the verify call, the username from the input is being used, but the args username, which is since not provided falls back to the default one. https://github.com/RhinoSecurityLabs/pacu/blob/4e5f1de15ae880d703d3042374ab552fe6d3e258/pacu/modules/cognito__attack/main.py#L380

This creates a problem when providing the correct confirmation token to the prompt because this will then create a mismatch between the username and token data.

To Reproduce Steps to reproduce the behavior:

  1. Run the command without a username flag: run cognito__attack --identity_pools us-east-1:<identity_pool_id> --user_pool_clients <client_id>@us-east-<id>
  2. Run through the sign up process
  3. provide the token
  4. see the error

Expected Behavior The expected behavior should be that the provided username from the input should be used in the verification step.

EduardSchwarzkopf avatar Mar 16 '24 16:03 EduardSchwarzkopf