Fix dynamodb__enum error and add cognito__enum features

RhinoSecurityLabs · Jul 25, 2023 · 33891bf · 33891bf
1 parent 45d3fbe
commit 33891bf
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 5 deletions.
diff --git a/pacu/modules/cognito__enum/main.py b/pacu/modules/cognito__enum/main.py
@@ -363,8 +363,6 @@ def main(args, pacu_main):
                                     if user_writable_attribute == 'email':  
                                         if user_writable_attribute not in verify_attributes:
                                             print('Attribute \'email\' does not require verification before changing!')
-                                if client_scope_user_writable_attributes:
-                                    print('The following attributes can be modified by users and are used for access control by this client (this may allow privilege escalation): ' + str(client_scope_user_writable_attributes))
                                 if resource_server_scope_user_writable_attributes:
                                     print('The following attributes can be modified by users and are used for access control by a resource server (this may allow privilege escalation): ' + str(resource_server_scope_user_writable_attributes))
                                 else:
@@ -397,7 +395,6 @@ def main(args, pacu_main):
                         print(f'  {len(user_pool_clients)} user pool client(s) found in user pool {user_pool["Id"]}.')
                     except Exception as e:
                         print(f"Error: {e}")
-                    print('Still here!')
                     all_user_pool_clients += user_pool_clients
 
 
@@ -496,4 +493,4 @@ def summary(data, pacu_main):
     if 'UsersInPools' in data:
         results.append('    {} total user(s) in user pool(s) found.'.format(len(data['UsersInPools'])))
 
-    return '\n'.join(results)
+    return '\n'.join(results)
diff --git a/pacu/modules/dynamodb__enum/main.py b/pacu/modules/dynamodb__enum/main.py
@@ -50,7 +50,7 @@ def fetch_dynamodb_data(client, func, key, print, **kwargs):
         if isinstance(data, (dict, str)):
             return data
         while 'LastEvaluatedTableName' in response:
-            response = caller({**kwargs, **{'ExclusiveStartTableName': response['LastEvaluatedTableName']}})
+            response = caller(ExclusiveStartTableName=response['LastEvaluatedTableName'], **kwargs)
             data.extend(response[key])
         return data
     except client.exceptions.ResourceNotFoundException: