AWS - API Gateway Unauthenticated Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

API Invoke bypass

Kulingana na mazungumzo Attack Vectors for APIs Using AWS API Gateway Lambda Authorizers - Alexandre & Leonardo, Lambda Authorizers zinaweza kuundwa kwa kutumia sintaksia ya IAM kutoa ruhusa za kuita mwisho wa API. Hii inachukuliwa kutoka kwenye docs:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Permission",
"Action": [
"execute-api:Execution-operation"
],
"Resource": [
"arn:aws:execute-api:region:account-id:api-id/stage/METHOD_HTTP_VERB/Resource-path"
]
}
]
}

The problem with this way to give permissions to invoke endpoints is that the "*" implies "anything" and there is no more regex syntax supported.

Some examples:

A rule such as arn:aws:execute-apis:sa-east-1:accid:api-id/prod/*/dashboard/* in order to give each user access to /dashboard/user/{username} will give them access to other routes such as /admin/dashboard/createAdmin for example.

Note that "*" doesn't stop expanding with slashes, therefore, if you use "*" in api-id for example, it could also indicate "any stage" or "any method" as long as the final regex is still valid. So arn:aws:execute-apis:sa-east-1:accid:*/prod/GET/dashboard/* Can validate a post request to test stage to the path /prod/GET/dashboard/admin for example.

You should always have clear what you want to allow to access and then check if other scenarios are possible with the permissions granted.

For more info, apart of the docs, you can find code to implement authorizers in this official aws github.

IAM Policy Injection

In the same talk it's exposed the fact that if the code is using user input to generate the IAM policies, wildcards (and others such as "." or specific strings) can be included in there with the goal of bypassing restrictions.

Public URL template

https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided}

Pata ID ya Akaunti kutoka kwa URL ya API Gateway ya umma

Kama ilivyo kwa mifuko ya S3, Data Exchange na URL za Lambda gateways, inawezekana kupata ID ya akaunti ya akaunti kwa kutumia aws:ResourceAccount Policy Condition Key kutoka kwa URL ya API Gateway ya umma. Hii inafanywa kwa kupata ID ya akaunti moja herufi kwa wakati kwa kutumia wildcards katika sehemu ya aws:ResourceAccount ya sera. Teknolojia hii pia inaruhusu kupata maadili ya lebo ikiwa unajua ufunguo wa lebo (kuna baadhi ya zile za kawaida zinazovutia).

Unaweza kupata maelezo zaidi katika utafiti wa asili na zana conditional-love ili kuendesha uhalifu huu kiotomatiki.

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki hila za uhalifu kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousAWS - Accounts Unauthenticated Enum NextAWS - Cloudfront Unauthenticated Enum

Last updated 8 days ago

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Permission", "Action": [ "execute-api:Execution-operation" ], "Resource": [ "arn:aws:execute-api:region:account-id:api-id/stage/METHOD_HTTP_VERB/Resource-path" ] } ] }