Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information check:
AWS - API Gateway EnumYou can create an endpoint in https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint with the service com.amazonaws.us-east-1.execute-api, expose the endpoint in a network where you have access (potentially via an EC2 machine) and assign a security group allowing all connections.
Then, from the EC2 machine you will be able to access the endpoint and therefore call the gateway API that wasn't exposed before.
This technique was found in this CTF writeup.
As indicated in the AWS documentation in the PassthroughBehavior section, by default, the value WHEN_NO_MATCH , when checking the Content-Type header of the request, will pass the request to the back end with no transformation.
Therefore, in the CTF the API Gateway had an integration template that was preventing the flag from being exfiltrated in a response when a request was sent with Content-Type: application/json:
However, sending a request with Content-type: text/json would prevent that filter.
Finally, as the API Gateway was only allowing Get and Options, it was possible to send an arbitrary dynamoDB query without any limit sending a POST request with the query in the body and using the header X-HTTP-Method-Override: GET:
In the Enumeration section you can see how to obtain the usage plan of the keys. If you have the key and it's limited to X usages per month, you could just use it and cause a DoS.
The API Key just need to be included inside a HTTP header called x-api-key.
apigateway:UpdateGatewayResponse, apigateway:CreateDeploymentAn attacker with the permissions apigateway:UpdateGatewayResponse and apigateway:CreateDeployment can modify an existing Gateway Response to include custom headers or response templates that leak sensitive information or execute malicious scripts.
Potential Impact: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
Need testing
apigateway:UpdateStage, apigateway:CreateDeploymentAn attacker with the permissions apigateway:UpdateStage and apigateway:CreateDeployment can modify an existing API Gateway stage to redirect traffic to a different stage or change the caching settings to gain unauthorized access to cached data.
Potential Impact: Unauthorized access to cached data, disrupting or intercepting API traffic.
Need testing
apigateway:PutMethodResponse, apigateway:CreateDeploymentAn attacker with the permissions apigateway:PutMethodResponse and apigateway:CreateDeployment can modify the method response of an existing API Gateway REST API method to include custom headers or response templates that leak sensitive information or execute malicious scripts.
Potential Impact: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
Need testing
apigateway:UpdateRestApi, apigateway:CreateDeploymentAn attacker with the permissions apigateway:UpdateRestApi and apigateway:CreateDeployment can modify the API Gateway REST API settings to disable logging or change the minimum TLS version, potentially weakening the security of the API.
Potential Impact: Weakening the security of the API, potentially allowing unauthorized access or exposing sensitive information.
Need testing
apigateway:CreateApiKey, apigateway:UpdateApiKey, apigateway:CreateUsagePlan, apigateway:CreateUsagePlanKeyAn attacker with permissions apigateway:CreateApiKey, apigateway:UpdateApiKey, apigateway:CreateUsagePlan, and apigateway:CreateUsagePlanKey can create new API keys, associate them with usage plans, and then use these keys for unauthorized access to APIs.
Potential Impact: Unauthorized access to API resources, bypassing security controls.
Need testing
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
