Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cognito is an SSO solution from Amazon. Somebody can log into the site and this has password reset functionality. This is implemented by sending a 6 digit code to the users email.

While testing the rate limiting, the researchers realized that something was off. Although the documentation said 5-20 failed attempts will result in a limit exceeded error, this limit could be bypassed using concurrent request via Burp Turbo.

An additional issue was found that the code had a cool down time. Once the limit exceeded had been introduced, some time later attempts could be made again because the counter would be reset.

The maximum they got to work was 1587 which is 0.16% of the space. This means that 1/625 times. With the cool down bug, the odds went down to 1/312. Because this attack could be repeated by requesting a new password reset token and this could be performed on multiple users at a time, this could eventually lead to user compromise.

Reset token functionality is incredibly hard to implement! Even with rate limiting, the limitations may not be enough. On engagements, I will make sure to validate that the rate limiting works with concurrent requests.