# API Gateway - Security We will discuss some of interesting security implications to API Gateway. ### IP Restriction bypass Multiple API Gateways can be used to bypass IP restriction. This can be done by routing requests via API Gateway randomly which can easily bypass IP locking and other IP based restrictions. ![](/files/popWJXyEec57x1bTqwCQ) In this case, user would proxy their request via randomly chosen API Gateway which helps to mask his IP and later send the request to server with IP masked. ### Attacking Unauthenticated Public Gateways Authentication in Public API Gateway doesn't happen by default. So it is completely possible to trigger the API Gateway target from internet if the Gateway is not protected. Scenario : Initial enumeration uncovered a lambda function which performs special set of instructions on the basis of user input and is triggered by API Gateway. We also found that API Gateway is unauthenticated and public to internet. Example: Below is the code of lambda function :- ```python def lambda_handler(event,context): ...... argument = event['rawQueryString'] if argument == "this_is_normal": printf("This is lambda") elif argument == "this_is_changed": printf("Flag: {secuirtylabs_api_gateways}") ``` Our initial enumeration also discovered the API Endpoint attached with the lambda. API endpoint was found to be `https://test123.execute-api.ap-south-1.amazonaws.com/` So in the above case we can manipulate argument field and send a curl request to the target Endpoint. Request: ``` curl -X GET https://test123.execute-api.ap-south-1.amazonaws.com/?argument=this_is_changed ``` In this case making curl request to the endpoint with a specific input helps us get flag. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://seg-fault.gitbook.io/researchs/aws-cloud-security/hacking-api-gateway/api-gateway-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.