AWS

In this post, I’ll cover how the vulnerable Cognito service can be exploited to escalate privileges and obtain temporary AWS credentials. Privilege Escalation via Vulnerable Cognito Introduction AWS Cognito is commonly used to handle user authentication and identity federation in cloud applications. However, when misconfigured, it becomes a gateway for privilege escalation, especially when: Frontend validations are trusted too much Custom attributes are used to control access Identity Pools are mapped to roles based on unvalidated claims This scenario demonstrates how misconfigured Amazon Cognito setups can be exploited to gain unauthorized access to AWS resources. You’ll simulate an attacker exploiting weak client-side validations and improperly scoped custom attributes to escalate privileges and extract AWS credentials via Cognito Identity Pools. ...

In this post, I’ll demonstrate how a Server-Side Request Forgery (SSRF) vulnerability can be exploited to access the EC2 instance metadata service, allowing an attacker to retrieve IAM role credentials and potentially escalate privileges within the AWS environment. Privilege Escalation via SSRF on EC2 Introduction This scenario demonstrates a misconfigured AWS environment where an attacker can pivot through multiple services—starting from a limited IAM user and ultimately gaining high-privileged access by exploiting a Server-Side Request Forgery (SSRF) vulnerability in an EC2-hosted web application. ...

In this post, I’ll cover how multiple policy versions with overly permissive configuration for an older version leads to privilege escalation in AWS. Privilege Escalation via Rollback Introduction A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. AWS IAM policies define permissions for an action regardless of the method that you use to perform the operation. ...

Read the full post on Hacklido.