Skip to content

adeadfed/octopus-storage

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

72 Commits

admin-app

admin-app

 
 

client-app

client-app

 
 

lambda

lambda

 
 

tf

tf

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

Octopus Storage

What is this?

Octopus Storage is a vulnerable web application, bundled with the series of AWS Cognito Security research articles, available at LSG Europe website. Octopus Storage is a cloud file hosting service that enables users to upload and share files. It is built as a server-less web application, and uses common AWS services with the help of frontend AWS JS SDK and Cognito service.

Deployment

  1. Install terraform
  2. Configure an administrator-level AWS credentials for terraform to use
  3. Clone the repo and deploy it:
git clone https://github.com/adeadfed/octopus-storage
cd octopus-storage
cd tf
terraform init
terraform apply
  1. Terraform should yield the URLs for the freshly deployed web applications after the apply:
ubuntu@ubuntu:~$ terraform apply
...
Outputs:

octopus_admin_ssh_key = <sensitive>                 
octopus_admin_user_credentials = <sensitive>        
octopus_admin_web_url = "http://EC2-PUBLIC-IP.compute-1.amazonaws.com"
octopus_storage_web_url = "https://CLOUDFRONT-ID.cloudfront.net"
  1. Sensitive terraform outputs You can access sensitive outputs like so:
terraform output -raw *output_name*

octopus_admin_ssh_key can be used to access the EC2 running the Octopus Admin web app.
octopus_admin_user_credentials can be used to log into octopus_admin User Pool user.

Available Attack Vectors

  1. Editable custom User Pool attributes that lead to a privilege escalation (use Flask app in user-pool-attributes-app/app.py).
  2. SSTI in developer application with server-side login flow that can be used leak developer credentials.
  3. RCE in User Pool Lambda trigger that can be abused to perform privileged actions on Cognito service or achieve a foothold in the infrastructure.
  4. Shared User Pool used to authenticate to multiple applications.
  5. Flawed rule-based role mapping that can be bypassed to obtain administrator credentials (optional; swap from option 1 to option 2 in lines 110-130 in cognito.tf).
  6. Misconfigured Identity Pool role permissions for horizontal privilege escalation.
  7. Misconfigured Identity Pool role permissions for vertical privilege escalation via excessive AWS Cognito permissions.

Authors

About

Oh My H@ck demo AWS Cognito application

Topics

aws demo serverless hacking cognito web-hacking

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

Octopus Admin app source code Latest
Sep 14, 2023

Packages

No packages published

Contributors 2

  •  
  •  

Languages