Morioh
Login
Mable Wilderman

Mable Wilderman

3 years ago

Tl;dr: Found the AWS Cognito API call for the GetCredentialsForIdentity through the profile picture upload feature of the application which leaks the AWS credentials in the response.

AWS Instance metadata is data about your instance that you can use to configure or manage the running instance. In AWS, the Instance Metadata Service (IMDS) makes information about a compute instance, its network, and storage available to software running on the instance. IMDS also makes temporary credentials. Configuring this metadata credentials in AWS CLI, one can access the services associated with the account.

The Usual Way

The traditional way to extract AWS credentials is via exploiting SSRF. SSRF attacks give the privilege to make requests from the target machine. And if the application is running on any cloud services the attacker can attempt to access the metadata services.

In the case of AWS cloud services its route on Automatic Private IP address over http://169.254.169.254/

Since the metadata service of AWS doesn’t require any particular headers, fetching the URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLENAME will return the AccessKeyID, SecretKey, and Security Token.

Test Case:

filename.ext?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename

Tip💡: Use CanaryTokens or Pythonanywhere server to test for SSRF Bugs

#bug-bounty #infosec #aws #cloud-security #cybersecurity #cloud

Leaking AWS Metadata

medium.com

Leaking AWS Metadata

Found the AWS Cognito API call for the GetCredentialsForIdentity through the profile picture upload feature of the application which leaks the AWS credentials in the response.

3.95 GEEK