RefreshToken Is Exposed
- Query id: 5b48c507-0d1f-41b0-a630-76817c6b4189
- Query name: RefreshToken Is Exposed
- Platform: CloudFormation
- Severity: Medium
- Category: Secret Management
- URL: Github
Description¶
Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
MySkill:
Type: "Alexa::ASK::Skill"
Properties:
SkillPackage:
S3Bucket: "my-skill-packages"
S3Key: "skillpackage.zip"
S3BucketRole: !GetAtt S3BucketReadRole.Arn
Overrides:
Manifest:
apis:
custom:
endpoint:
uri: !GetAtt SkillFunction.Arn
AuthenticationConfiguration:
ClientId: "amzn1.application-oa2-client.1234"
ClientSecret: "1234"
RefreshToken: "Atzr|1234"
VendorId: "1234"
Positive test num. 2 - json file
{
"Resources": {
"MySkill": {
"Type": "Alexa::ASK::Skill",
"Properties": {
"VendorId": "1234",
"SkillPackage": {
"S3Bucket": "my-skill-packages",
"S3Key": "skillpackage.zip",
"S3BucketRole": "S3BucketReadRole.Arn",
"Overrides": {
"Manifest": {
"apis": {
"custom": {
"endpoint": {
"uri": "SkillFunction.Arn"
}
}
}
}
}
},
"AuthenticationConfiguration": {
"ClientId": "amzn1.application-oa2-client.1234",
"ClientSecret": "1234",
"RefreshToken": "Atzr|1234"
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
MySkill:
Type: "Alexa::ASK::Skill"
Properties:
SkillPackage:
S3Bucket: "my-skill-packages"
S3Key: "skillpackage.zip"
S3BucketRole: !GetAtt S3BucketReadRole.Arn
Overrides:
Manifest:
apis:
custom:
endpoint:
uri: !GetAtt SkillFunction.Arn
AuthenticationConfiguration:
ClientId: "amzn1.application-oa2-client.1234"
ClientSecret: "1234"
RefreshToken: "{{resolve:secretsmanager:Atzr|IQEBLzAtAhRPpMJxdwVz2Nn6f2y-tpJX2DeX}}"
VendorId: "1234"
MySkill2:
Type: "Alexa::ASK::Skill"
Properties:
SkillPackage:
S3Bucket: "my-skill-packages"
S3Key: "skillpackage.zip"
S3BucketRole: !GetAtt S3BucketReadRole.Arn
Overrides:
Manifest:
apis:
custom:
endpoint:
uri: !GetAtt SkillFunction.Arn
AuthenticationConfiguration:
ClientId: "amzn1.application-oa2-client.1234"
ClientSecret: "1234"
RefreshToken: "{{resolve:ssm-secure:Atzr|IQEBLzAtAhRPpMJxdwVz2Nn6f2y-tpJX2DeX}}"
VendorId: "1234"
Negative test num. 2 - json file
{
"Resources": {
"MySkill": {
"Type": "Alexa::ASK::Skill",
"Properties": {
"SkillPackage": {
"S3Bucket": "my-skill-packages",
"S3Key": "skillpackage.zip",
"S3BucketRole": "S3BucketReadRole.Arn",
"Overrides": {
"Manifest": {
"apis": {
"custom": {
"endpoint": {
"uri": "SkillFunction.Arn"
}
}
}
}
}
},
"AuthenticationConfiguration": {
"ClientId": "amzn1.application-oa2-client.1234",
"ClientSecret": "1234",
"RefreshToken": "{{resolve:secretsmanager:Atzr|IQEBLzAtAhRPpMJxdwVz2Nn6f2y-tpJX2DeX}}"
},
"VendorId": "1234"
}
},
"MySkill2": {
"Type": "Alexa::ASK::Skill",
"Properties": {
"SkillPackage": {
"S3Bucket": "my-skill-packages",
"S3Key": "skillpackage.zip",
"S3BucketRole": "S3BucketReadRole.Arn",
"Overrides": {
"Manifest": {
"apis": {
"custom": {
"endpoint": {
"uri": "SkillFunction.Arn"
}
}
}
}
}
},
"AuthenticationConfiguration": {
"ClientId": "amzn1.application-oa2-client.1234",
"ClientSecret": "1234",
"RefreshToken": "{{resolve:ssm-secure:Atzr|IQEBLzAtAhRPpMJxdwVz2Nn6f2y-tpJX2DeX}}"
},
"VendorId": "1234"
}
}
}
}