{"id":18829450,"url":"https://github.com/adeadfed/octopus-storage","last_synced_at":"2026-04-24T23:32:45.839Z","repository":{"id":194829741,"uuid":"359768434","full_name":"adeadfed/octopus-storage","owner":"adeadfed","description":"Oh My H@ck demo AWS Cognito application","archived":false,"fork":false,"pushed_at":"2023-10-16T23:18:49.000Z","size":3666,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-11T04:45:48.042Z","etag":null,"topics":["aws","cognito","demo","hacking","serverless","web-hacking"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adeadfed.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-04-20T10:05:24.000Z","updated_at":"2023-10-16T23:01:42.000Z","dependencies_parsed_at":"2024-11-08T01:44:54.874Z","dependency_job_id":"f2c1dfbd-26a9-44b9-adca-255260ec1509","html_url":"https://github.com/adeadfed/octopus-storage","commit_stats":null,"previous_names":["adeadfed/octopus-storage"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/adeadfed/octopus-storage","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adeadfed%2Foctopus-storage","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adeadfed%2Foctopus-storage/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adeadfed%2Foctopus-storage/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adeadfed%2Foctopus-storage/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adeadfed","download_url":"https://codeload.github.com/adeadfed/octopus-storage/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adeadfed%2Foctopus-storage/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32245148,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-24T13:21:15.438Z","status":"ssl_error","status_checked_at":"2026-04-24T13:21:15.005Z","response_time":64,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cognito","demo","hacking","serverless","web-hacking"],"created_at":"2024-11-08T01:44:50.902Z","updated_at":"2026-04-24T23:32:45.821Z","avatar_url":"https://github.com/adeadfed.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Octopus Storage\n\n## What is this?\n**Octopus Storage** is a vulnerable web application, bundled with the series of **AWS Cognito Security** research articles, available at [LSG Europe website](https://lsgeurope.com). **Octopus Storage** is a cloud file hosting service that enables users to upload and share files. It is built as a server-less web application, and uses common AWS services with the help of frontend AWS JS SDK and Cognito service. \n\n\n## Deployment\n\n 1. Install [terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) \n 2. Configure an administrator-level AWS credentials for terraform to [use](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration)\n 3. Clone the repo and deploy it:\n ```\n git clone https://github.com/adeadfed/octopus-storage\n cd octopus-storage\n cd tf\n terraform init\n terraform apply\n ```\n 4. Terraform should yield the URLs for the freshly deployed web applications after the apply:\n ```\n ubuntu@ubuntu:~$ terraform apply\n ...\n Outputs:\n\n octopus_admin_ssh_key = \u003csensitive\u003e                 \n octopus_admin_user_credentials = \u003csensitive\u003e        \n octopus_admin_web_url = \"http://EC2-PUBLIC-IP.compute-1.amazonaws.com\"\n octopus_storage_web_url = \"https://CLOUDFRONT-ID.cloudfront.net\"\n ```\n 5. Sensitive terraform outputs\n You can access sensitive outputs like so:\n ```\n terraform output -raw *output_name*\n ```\n `octopus_admin_ssh_key` can be used to access the EC2 running the Octopus Admin web app. \u003cbr\u003e\n `octopus_admin_user_credentials` can be used to log into `octopus_admin` User Pool user.\n\n## Available Attack Vectors\n 1. **Editable** custom User Pool attributes that lead to a privilege escalation (use Flask app in `user-pool-attributes-app/app.py`).\n 2. SSTI in **developer application with server-side login flow** that can be used leak developer credentials.\n 3. RCE in **User Pool Lambda trigger** that can be abused to perform privileged actions on Cognito service or achieve a foothold in the infrastructure.  \n 4. Shared **User Pool** used to authenticate to **multiple applications**.\n 5. Flawed **rule-based role mapping** that can be bypassed to obtain administrator credentials (optional; swap from option 1 to option 2 in lines 110-130 in `cognito.tf`). \n 6. **Misconfigured Identity Pool role permissions** for horizontal privilege escalation.\n 7. **Misconfigured Identity Pool role permissions** for vertical privilege escalation via excessive **AWS Cognito permissions**. \n\n\n## Authors\n- Maksym Vatsyk\n    - [LinkedIn](https://www.linkedin.com/in/maksym-vatsyk/)\n    - [Twitter](https://twitter.com/adeadfed)\n- Pavel Shabarkin\n    - [LinkedIn](https://www.linkedin.com/in/pavelshabarkin/)\n    - [Twitter](https://twitter.com/shabarkin)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadeadfed%2Foctopus-storage","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadeadfed%2Foctopus-storage","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadeadfed%2Foctopus-storage/lists"}