Researchs
  • About Me
  • Bypassing DEP - Increasing the Gap
  • Hijacking Cloud CI/CD Systems for Fun and Profit
  • Found some Access Keys?
  • AWS Cloud Security
    • AWS Cloud Researchs
      • AWS and the Secrets Exposed on Public ECR Repository
    • Hacking API Gateway
      • API Gateway - Security
      • API Gateway API Calls
    • Hacking S3
      • S3 - Security
      • S3 API Calls
    • Hacking Cognito
      • Cognito - Security
      • Cognito - API Calls
    • Hacking Lamda
      • Lambda - Security
      • Lambda - API Calls
    • Hacking Cloudbuild
      • Cloudbuild - Security
      • Cloudbuild - API Calls
    • AWS Services
  • Windows Security Research
    • Exploit Development
      • RTCore64.sys - CVE-2019-16098
      • Mouse Server
      • mskssrv.sys - CVE-2023–29360
    • Fuzzing
      • WTF
  • Supply Chain Research
    • Abusing Netlify Functions
  • Reverse Engineering
    • Reversing.kr
      • Easy_CrackMe
      • Easy KeyGen
  • Failed Research Attempts
    • Github Actions - Cloud
    • CloudTrail
Powered by GitBook
On this page
  • IP Restriction bypass
  • Attacking Unauthenticated Public Gateways
  1. AWS Cloud Security
  2. Hacking API Gateway

API Gateway - Security

PreviousHacking API GatewayNextAPI Gateway API Calls

Last updated 2 years ago

We will discuss some of interesting security implications to API Gateway.

IP Restriction bypass

Multiple API Gateways can be used to bypass IP restriction. This can be done by routing requests via API Gateway randomly which can easily bypass IP locking and other IP based restrictions.

In this case, user would proxy their request via randomly chosen API Gateway which helps to mask his IP and later send the request to server with IP masked.

Attacking Unauthenticated Public Gateways

Authentication in Public API Gateway doesn't happen by default. So it is completely possible to trigger the API Gateway target from internet if the Gateway is not protected.

Scenario : Initial enumeration uncovered a lambda function which performs special set of instructions on the basis of user input and is triggered by API Gateway. We also found that API Gateway is unauthenticated and public to internet.

Example: Below is the code of lambda function :-

def lambda_handler(event,context):
	......
	argument = event['rawQueryString']
	if argument == "this_is_normal":
		printf("This is lambda")
	elif argument == "this_is_changed":
		printf("Flag: {secuirtylabs_api_gateways}")

Our initial enumeration also discovered the API Endpoint attached with the lambda. API endpoint was found to be https://test123.execute-api.ap-south-1.amazonaws.com/

So in the above case we can manipulate argument field and send a curl request to the target Endpoint.

Request:

curl -X GET https://test123.execute-api.ap-south-1.amazonaws.com/?argument=this_is_changed

In this case making curl request to the endpoint with a specific input helps us get flag.