A powerful AWS Cognito analysis and session hijacking toolkit designed for security researchers and penetration testers. CognitoHunter specializes in dissecting AWS Cognito implementations and performing advanced credential-to-session conversions.
-
🔍 Deep Configuration Discovery
- Identifies AWS Cognito configurations in web apps and JS files
- Extracts identity pools, user pools, and client IDs
- Maps AWS authentication flows
-
🔑 Advanced Credential Acquisition
- Validates identity pools across multiple regions
- Obtains AWS credentials for unauthenticated access
- Extracts temporary security tokens
-
🔄 Multi-method Session Conversion
- SDK token exchange
- Cognito hosted UI flow
- AWS Web Identity federation
- Browser SDK emulation
- JWT token exchange
- Direct API access
-
🎯 Session Validation & Hijacking
- Tests obtained sessions against common endpoints
- Provides browser-ready cookie commands
- Generates authorization headers
- Validates session permissions
# Clone the repository
git clone https://github.com/yourusername/cognitohunter.git
cd cognitohunter
# Install required packages
pip3 install -r requirements.txtpython3 cognitohunter.py -u https://example.com -v --insecurepython3 cognitohunter.py -u https://example.com \
--creds "ACCESS_KEY:SECRET_KEY:SESSION_TOKEN" \
--identity "IDENTITY_ID"🎯 CognitoHunter v1.0.0 - AWS Cognito Analysis Toolkit
optional arguments:
-h, --help show this help message and exit
-u, --url URL Target URL to analyze
-v, --verbose Enable verbose logging
-o, --output FILE Output file for results
--insecure Skip SSL verification
--creds CREDS Use existing AWS credentials
--identity ID Use existing Identity ID
{
"identity_pools": [
"us-west-2:6f4d8534-3bf0-4357-9b8b-750f2f3d23d3"
],
"validations": [
{
"type": "identity_pool",
"id": "us-west-2:6f4d8534-3bf0-4357-9b8b-750f2f3d23d3",
"identity_id": "us-west-2:c6d76489-2df1-cb8f-eb4b-e5fe685d350e",
"credentials": {
"AccessKeyId": "ASIA4NV3EREW5EFZTNHT",
"SecretKey": "5eglHwsS0/QOF7Tz/OmO3xWRFQ1ppnnvJORERBM1",
"SessionToken": "IQoJb3JpZ2luX2VjEJf..."
}
}
],
"web_sessions": [
{
"method": "sdk_token",
"cookies": {
"session": "example_session_cookie"
},
"headers": {
"Authorization": "Bearer example_token"
}
}
]
}-
Configuration Discovery Phase
- Scans target website and JS files
- Extracts AWS configurations
- Maps authentication endpoints
-
Credential Acquisition Phase
- Validates identity pools
- Obtains AWS temporary credentials
- Tests credential permissions
-
Session Conversion Phase
- Attempts multiple conversion methods
- Validates obtained sessions
- Tests session permissions
-
Result Generation Phase
- Provides detailed analysis
- Generates exploitation commands
- Validates session access
-
Identity Pool Security
- Disable unauthenticated access unless required
- Implement strict IAM roles
- Regular audit of permissions
-
Session Management
- Implement proper session timeouts
- Use secure session storage
- Validate session permissions
-
General Security
- Hide AWS configurations
- Implement proper CORS policies
- Regular security audits
This tool is for security research purposes only. Always obtain proper authorization before testing any systems or applications.
- Paul Seekamp (@nullenc0de)
- Research based on work by NotSoSecure
- Inspired by Theodo Cloud Security research
- AWS Cognito security research community