YoVDO

Hunting for Amazon Cognito Security Misconfigurations

Offered By: NahamSec via YouTube

Tags

Amazon Cognito Courses Bug Bounty Courses Cloud Security Courses Privilege Escalation Courses Offensive Security Courses AWS Security Courses Authentication Bypass Courses

Course Description

Overview

Explore the intricacies of Amazon Cognito security misconfigurations in this 25-minute conference talk from #NahamCon2022EU. Delve into the world of offensive security as Yassine Aboukir, a seasoned bug bounty hunter and security consultant, guides you through identifying applications using Amazon Cognito, uncovering unauthorized access to AWS services, and exploiting authentication bypasses. Learn about privilege escalation techniques through writable user attributes and the risks associated with updating email attributes before verification. Gain valuable insights into common security pitfalls and receive practical recommendations for developers to enhance their Amazon Cognito implementations.

Syllabus

Intro
Introduction to AWS Cognito
How to tell if an application is using Amazon Cognito?
Unauthorized access to AWS services due to Liberal AWS Credentials
Authentication bypass due to enabled Signup API action
Privilege escalation through writable user attributes
Security misconfiguration #4: Updating email attribute before verification
Recommendations for developers


Taught by

NahamSec

Related Courses

Don't Ruck Us Too Hard - Owning All of Ruckus AP Devices
nullcon via YouTube Attacking ADFS Endpoints with PowerShell
YouTube Practical HTTP Header Smuggling - Sneaking Past Reverse Proxies to Attack AWS and Beyond
Black Hat via YouTube 200+ Vulnerabilities in Android Phones
Hack In The Box Security Conference via YouTube Systems Applications Proxy Pwnage
44CON Information Security Conference via YouTube