AWS - API Gateway Unauthenticated Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

API Invoke bypass

According to the talk Attack Vectors for APIs Using AWS API Gateway Lambda Authorizers - Alexandre & Leonardo, Lambda Authorizers can be configured using IAM syntax to give permissions to invoke API endpoints. This is taken from the docs:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Permission",
      "Action": [
        "execute-api:Execution-operation"           
      ],
      "Resource": [
        "arn:aws:execute-api:region:account-id:api-id/stage/METHOD_HTTP_VERB/Resource-path"
      ]
    }
  ]
}

The problem with this way to give permissions to invoke endpoints is that the "*" implies "anything" and there is no more regex syntax supported.

Some examples:

A rule such as arn:aws:execute-apis:sa-east-1:accid:api-id/prod/*/dashboard/* in order to give each user access to /dashboard/user/{username} will give them access to other routes such as /admin/dashboard/createAdmin for example.

Note that "*" doesn't stop expanding with slashes, therefore, if you use "*" in api-id for example, it could also indicate "any stage" or "any method" as long as the final regex is still valid. So arn:aws:execute-apis:sa-east-1:accid:*/prod/GET/dashboard/* Can validate a post request to test stage to the path /prod/GET/dashboard/admin for example.

You should always have clear what you want to allow to access and then check if other scenarios are possible with the permissions granted.

For more info, apart of the docs, you can find code to implement authorizers in this official aws github.

IAM Policy Injection

In the same talk it's exposed the fact that if the code is using user input to generate the IAM policies, wildcards (and others such as "." or specific strings) can be included in there with the goal of bypassing restrictions.

Public URL template

https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided}

Get Account ID from public API Gateway URL

Just like with S3 buckets, Data Exchange and Lambda URLs gateways, It's possible to find the account ID of an account abusing the aws:ResourceAccount Policy Condition Key from a public API Gateway URL. This is done by finding the account ID one character at a time abusing wildcards in the aws:ResourceAccount section of the policy. This technique also allows to get values of tags if you know the tag key (there some default interesting ones).

You can find more information in the original research and the tool conditional-love to automate this exploitation.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Accounts Unauthenticated Enum NextAWS - Cloudfront Unauthenticated Enum

Last updated 2 months ago