Stored XSS to Account Takeover (AWS Cognito)

Hello again! Today, I want to discuss a recent finding from my penetration test. We’ll examine how AWS Cognito handles data insecurely and how this vulnerability can be exploited using a simple XSS attack. This issue can and will ultimately lead to a complete account takeover. We will also check out a cool WAF XSS bypass that in the end helped me to exploit the application.

For those who are already familiar with the basics, feel free to scroll down directly to the exploit.

Before we dive in, let’s take a moment to understand what AWS Cognito does. AWS Cognito is a service offered by Amazon Web Services that assists developers in managing user authentication, authorization, and user data so you don’t have to. Cognito consists of two main services: the User Pool and the Identity Pool.

The User Pool is a user directory in AWS Cognito that allows you to manage and maintain user profiles. It provides sign-up and sign-in functionality for your app users, along with the ability to handle user attributes, account recovery, and multi-factor authentication. Essentially, the User Pool acts as a secure user store to facilitate user management and authentication within your application.