Hacking API Gateway
API Gateway is a service that allows developers to create APIs for applications. In addition, it can also be integrated with AWS Services, which can pose a security risk due to possible misconfigurations.
Endpoints
Each API Gateway has a URL called Endpoint which can be used to invoke it.
For example, here endpoint is: https://wpeiyqw4d6.execute-api.us-east-2.amazonaws.com
API Gateway configuration for the above endpoint includes a method named wpeiyqw4ds
and a region named us-east-2
.
These endpoints can be of 2 types:-
Private API Endpoint : Accessible from VPC and approved subnets using a VPC interface.
Public API Endpoints : Accessible from Internet
Routes for API Gateway
Users can create their own application flow by using routes in API Gateway. For instance, adding a route for /application
indicates that the user can specify the service or resource which will be invoked when request is sent to /application
.
As an example, here the route for /route
has been added, which indicates API Gateway will perform configured action when requests reach the specified path.
Integrations for API Gateway
Integrations for a API Gateway allows users to configure actions based on specified routes.
The above configuration specifies the integration where any request to /route
is sent to https://google.com
. Hence, here the route /route
is having a HTTP
integration with https://google.com
Stage in API Gateway
Stage is a snapshot of API Gateway which is used to manage and optimize a individual deployment. For instance a single API Gateway can have multiple stages and each stage can have different throttling and monitoring configurations.
Stages in API Gateway can be used to throttle request for a single route for one stage but the same route may work for another stage due to laxed throtteling.
Here we have 2 stages, one is $default
which is a default stage and is present whenever API Gateway is created. A new custom stage present here is production_stage
which has a different endpoint
NOTE: Notice that except path, the domain for any stage remains same.
Access Control for API Gateways
As informed earlier, an API Gateway can be public or private. Resource policy is optional for public API Gateway but compulsory for private API Gateway since it acts as access control for private API Gateways.
Example resource policy:
This policy reveals that :-
Effect parameter indicates if the mentioned Principal has Allow or Deny permissions on Resource. Here,
Allow
indicates that user Alice can invoke the API Gateway. If Effect wasDeny
, then it would have indicated that user Alice is not authorized to invoke the API Gateway.Action here indicates the exact permission given to the principal on the Resource. Here
execute-api:Invoke
suggests that Alice user is allowed to invoke the API Gateway.Principal here indicates the source ARN which is associated with this policy. Here
arn:aws:iam::account-id-2:user/Alice
indicates that Alice user is the one associated with this policy who is being granted access.Resource here indicates the route in API gateway which is associated with the policy. In this case Alice can make GET request to
pets
route.
Just looking at the Resouce policy helped us accumulate useful information about target. For instance, we now know a user in target AWS Account, a working route of /pets
and even a stage called production
which can be useful for enumeration purpose.
Last updated