Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - API Gateway Enum

Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Lango la API

Taarifa Msingi

AWS API Gateway ni huduma kamili inayotolewa na Amazon Web Services (AWS) iliyoundwa kwa watengenezaji ili kuunda, kuchapisha, na kusimamia APIs kwa kiwango kikubwa. Inafanya kazi kama lango la kuingilia kwenye programu, kuruhusu watengenezaji kuweka mfumo wa sheria na taratibu. Mfumo huu unatawala upatikanaji wa watumiaji wa nje wanavyo data au utendaji fulani ndani ya programu.

API Gateway inawezesha kuamua jinsi maombi kwa APIs yako yanapaswa kushughulikiwa, na inaweza kuunda vituo vya API vya desturi na njia maalum (k.m., GET, POST, PUT, DELETE) na rasilimali. Pia inaweza kuzalisha SDK za wateja (Vifurushi vya Maendeleo ya Programu) ili kuifanya iwe rahisi kwa watengenezaji kuita APIs yako kutoka kwenye programu zao.

Aina za Malango ya API

  • API ya HTTP: Jenga APIs za REST zenye latency ndogo na gharama nafuu na vipengele vilivyojengwa kama OIDC na OAuth2, na msaada wa asili wa CORS. Inafanya kazi na yafuatayo: Lambda, backend za HTTP.

  • API ya WebSocket: Jenga API ya WebSocket kwa kutumia mawasiliano ya kudumu kwa matumizi ya wakati halisi kama vile programu za mazungumzo au dashibodi. Inafanya kazi na yafuatayo: Lambda, HTTP, Huduma za AWS.

  • API ya REST: Endeleza API ya REST ambapo unapata udhibiti kamili juu ya ombi na majibu pamoja na uwezo wa usimamizi wa API. Inafanya kazi na yafuatayo: Lambda, HTTP, Huduma za AWS.

  • API ya REST ya Kibinafsi: Unda API ya REST ambayo inaweza kufikiwa tu kutoka ndani ya VPC.

Vipengele Vikuu vya Lango la API

  1. Rasilimali: Katika API Gateway, rasilimali ni vipengele vinavyounda muundo wa API yako. Vinawakilisha njia au vituo tofauti vya API yako na vinahusiana na vitendo mbalimbali ambavyo API yako inasaidia. Rasilimali ni kila njia (k.m., GET, POST, PUT, DELETE) ndani ya kila njia (/, au /watumiaji, au /mtumiaji/{id}.

  2. Hatua: Hatua katika API Gateway inawakilisha toleo au mazingira tofauti ya API yako, kama vile maendeleo, hatua ya majaribio, au uzalishaji. Unaweza kutumia hatua kusimamia na kupeleka matoleo mengi ya API yako kwa wakati mmoja, kuruhusu kupima vipengele vipya au marekebisho ya kasoro bila kuathiri mazingira ya uzalishaji. Hatua pia inaweza kusaidia mazingira ya hatua, ambayo ni jozi za funguo-na-thamani zinazoweza kutumika kusanidi tabia ya API yako kulingana na hatua ya sasa. Kwa mfano, unaweza kutumia mazingira ya hatua kuongoza maombi ya API kwa Lambda functions tofauti au huduma zingine za nyuma kulingana na hatua.

  • Hatua inaonyeshwa mwanzoni mwa URL ya mwisho ya lango la API.

  1. Wahakiki: Wahakiki katika API Gateway wanahusika na kudhibiti upatikanaji wa API yako kwa kuthibitisha utambulisho wa mpigaji simu kabla ya kuruhusu ombi kuendelea. Unaweza kutumia Funguo za Lambda za AWS kama wahakiki wa desturi, ambayo inakuruhusu kutekeleza mantiki yako ya uthibitishaji na idhini. Wakati ombi linapoingia, API Gateway hupitisha tokeni ya idhini ya ombi kwa wahakiki wa Lambda, ambao huprocess tokeni na kurudisha sera ya IAM inayodhibiti ni vitendo gani mpigaji simu anaruhusiwa kufanya. API Gateway pia inasaidia wahakiki wa kujengwa, kama vile Utambulisho na Usimamizi wa Upatikanaji wa AWS (IAM) na Amazon Cognito.

  2. Sera ya Rasilimali: Sera ya rasilimali katika API Gateway ni hati ya JSON inayofafanua ruhusa za kupata API yako. Inafanana na sera ya IAM lakini imebuniwa kwa kusudi maalum kwa API Gateway. Unaweza kutumia sera ya rasilimali kudhibiti ni nani anaweza kupata API yako, ni njia zipi wanaweza kuita, na kutoka kwa anwani za IP au VPC zipi wanaweza kuunganisha. Sera za rasilimali zinaweza kutumika pamoja na wahakiki kutoa udhibiti wa upatikanaji wa kina kwa API yako.

  • Ili sera ya rasilimali ifanye kazi API inahitaji kupelekwa tena baada ya sera ya rasilimali kubadilishwa.

Kuingiza

Kwa chaguo-msingi, Kumbukumbu za CloudWatch ziko zimezimwa, Kuingiza Kumbukumbu zimezimwa, na Ufuatiliaji wa X-Ray pia umekuwa zimezimwa.

Uorodheshaji

Tafadhali kumbuka kuwa katika APIs zote mbili za AWS kwa ajili ya kuorodhesha rasilimali (apigateway na apigatewayv2) ruhusa pekee unayohitaji na ruhusa pekee inayoweza kutolewa ni apigateway:GET, kwa hiyo unaweza kuorodhesha kila kitu.

# Generic info
aws apigateway get-account
aws apigateway get-domain-names
aws apigateway get-usage-plans
aws apigateway get-vpc-links
aws apigateway get-client-certificates

# Enumerate APIs
aws apigateway get-rest-apis # This will also show the resource policy (if any)
## Get stages
aws apigateway get-stages --rest-api-id <id>
## Get resources
aws apigateway get-resources --rest-api-id <id>
## Get API resource action per HTTP verb (check authorizers and api key required)
aws apigateway get-method --http-method GET --rest-api-id <api-id> --resource-id <resource-id>

## Call API
https://<api-id>.execute-api.<region>.amazonaws.com/<stage>/<resource>
## API authorizers
aws apigateway get-authorizers --rest-api-id <id>
## Models
aws apigateway get-models --rest-api-id <id>
## More info
aws apigateway get-gateway-responses --rest-api-id <id>
aws apigateway get-request-validators --rest-api-id <id>
aws apigateway get-deployments --rest-api-id <id>

# Get api keys generated
aws apigateway get-api-keys --include-value
aws apigateway get-api-key --api-key <id> --include-value # Get just 1
## Example use API key
curl -X GET -H "x-api-key: AJE&Ygenu4[..]" https://e83uuftdi8.execute-api.us-east-1.amazonaws.com/dev/test
## Usage plans
aws apigateway get-usage-plans #Get limit use info
aws apigateway get-usage-plan-keys --usage-plan-id <plan_id> #Get clear text values of api keys
aws apigateway get-usage-plan-key --usage-plan-id <plan_id> --key-id <key_id>
###Already consumed
aws apigateway get-usage --usage-plan-id <plan_id> --start-date 2023-07-01 --end-date 2023-07-12

Enumerating AWS API Gateway v2

Enumerating API Gateway v2

  1. List API Gateways v2: Use the getApis method to list all API Gateways v2 in the account.

aws apigatewayv2 get-apis

  1. Describe API Gateway v2: Use the getApi method to describe a specific API Gateway v2.

aws apigatewayv2 get-api --api-id <api-id>

  1. List API Gateway v2 Integrations: Use the getIntegrations method to list all integrations for a specific API Gateway v2.

aws apigatewayv2 get-integrations --api-id <api-id>

  1. List API Gateway v2 Routes: Use the getRoutes method to list all routes for a specific API Gateway v2.

aws apigatewayv2 get-routes --api-id <api-id>

  1. List API Gateway v2 Deployments: Use the getDeployments method to list all deployments for a specific API Gateway v2.

aws apigatewayv2 get-deployments --api-id <api-id>

  1. List API Gateway v2 Stages: Use the getStages method to list all stages for a specific API Gateway v2.

aws apigatewayv2 get-stages --api-id <api-id>

  1. List API Gateway v2 Domain Names: Use the getDomainNames method to list all domain names for a specific API Gateway v2.

aws apigatewayv2 get-domain-names --api-id <api-id>

  1. List API Gateway v2 APIs for a Domain Name: Use the getApis method with the domain-name parameter to list all APIs associated with a specific domain name.

aws apigatewayv2 get-apis --domain-name <domain-name>

  1. List API Gateway v2 Authorizers: Use the getAuthorizers method to list all authorizers for a specific API Gateway v2.

aws apigatewayv2 get-authorizers --api-id <api-id>

  1. List API Gateway v2 Models: Use the getModels method to list all models for a specific API Gateway v2.

aws apigatewayv2 get-models --api-id <api-id>

  1. List API Gateway v2 VPC Links: Use the getVpcLinks method to list all VPC links for a specific API Gateway v2.

aws apigatewayv2 get-vpc-links --api-id <api-id>

  1. List API Gateway v2 Tags: Use the getTags method to list all tags for a specific API Gateway v2.

aws apigatewayv2 get-tags --resource-arn <api-arn>

  1. List API Gateway v2 APIs for a Tag: Use the getApis method with the tag-key parameter to list all APIs associated with a specific tag.

aws apigatewayv2 get-apis --tag-key <tag-key>
# Generic info
aws apigatewayv2 get-account --
aws apigatewayv2 get-domain-names
aws apigatewayv2 get-domain-name --domain-name <name>
aws apigatewayv2 get-usage-plans --
aws apigatewayv2 get-vpc-links
aws apigatewayv2 get-client-certificates --

# Enumerate APIs
aws apigatewayv2 get-apis # This will also show the resource policy (if any)
aws apigatewayv2 get-api --api-id <id>

## Get all the info from an api at once
aws apigatewayv2 export-api --api-id <id> --output-type YAML --specification OAS30 /tmp/api.yaml

## Get stages
aws apigatewayv2 get-stages --api-id <id>

## Get routes
aws apigatewayv2 get-routes --api-id <id>
aws apigatewayv2 get-route --api-id <id> --route-id <route-id>

## Get deployments
aws apigatewayv2 get-deployments --api-id <id>
aws apigatewayv2 get-deployment --api-id <id> --deployment-id <dep-id>

## Get integrations
aws apigatewayv2 get-integrations --api-id <id>

## Get authorizers
aws apigatewayv2 get-authorizers --api-id <id>
aws apigatewayv2 get-authorizer --api-id <id> --authorizer-id <uth-id>

## Get domain mappings
aws apigatewayv2 get-api-mappings --api-id <id> --domain-name <dom-name>
aws apigatewayv2 get-api-mapping --api-id <id> --api-mapping-id <map-id> --domain-name <dom-name>

## Get models
aws apigatewayv2 get-models --api-id <id>

## Call API
https://<api-id>.execute-api.<region>.amazonaws.com/<stage>/<resource>

Mamlaka Tofauti za kupata ufikiaji wa vituo vya API Gateway

Sera ya Rasilimali

Inawezekana kutumia sera za rasilimali kufafanua ni nani anaweza kupiga simu kwa vituo vya API. Katika mfano ufuatao unaweza kuona kwamba IP iliyotajwa haiwezi kupiga simu kwa kituo cha /sera_ya_rasilimali kupitia GET.

Mthibitishaji wa IAM

Inawezekana kuweka kwamba njia ndani ya njia (rasilimali) inahitaji uthibitishaji wa IAM ili kupiga simu.

Wakati hii inawekwa utapokea kosa {"ujumbe":"Kitambulisho cha Uthibitishaji Kimepotea"} unapojaribu kufikia kituo bila idhini yoyote.

Njia moja rahisi ya kuzalisha kitambulisho kinachotarajiwa na programu ni kutumia aina ya Uthibitishaji ya Sahihi ya AWS ndani ya Postman.

Wekeza ufikiaji na Siri ya Akaunti unayotaka kutumia na unaweza kujithibitisha dhidi ya kituo cha API.

Itazalisha kichwa cha Uthibitisho kama vile:

AWS4-HMAC-SHA256 Credential=AKIAYY7XU6ECUDOTWB7W/20220726/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-date, Signature=9f35579fa85c0d089c5a939e3d711362e92641e8c14cc571df8c71b4bc62a5c2

Tafadhali elewa kwamba katika hali nyingine Mwandishi anaweza kuwa ameandika mbaya na kutuma kitu chochote ndani ya kichwa cha Uthibitisho kutaruhusu kuona maudhui yaliyofichwa.

Kutia Saini Ombi Kwa Kutumia Python


pip install requests
pip install requests-aws4auth
pip install boto3

import boto3
import requests
from requests_aws4auth import AWS4Auth

region = 'us-east-1'  # Region
service = 'execute-api'
access_key = 'YOUR_ACCESS_KEY'
secret_key = 'YOUR_SECRET_KEY'

url = 'https://<apiid>.execute-api.us-east-1.amazonaws.com/<stage>/<resource>'

session = boto3.Session(aws_access_key_id=access_key, aws_secret_access_key=secret_key)
credentials = session.get_credentials()
awsauth = AWS4Auth(credentials.access_key, credentials.secret_key, region, service, session_token=credentials.token)

response = requests.get(url, auth=awsauth)

print(response.text)

Msimamizi wa Lambda ya Kipekee

Inawezekana kutumia lambda ambayo kulingana na ishara iliyotolewa itarejesha sera ya IAM ikionyesha ikiwa mtumiaji ana idhini ya kuita mwisho wa API. Unaweza kuweka kila mbinu ya rasilimali itakayotumia msimamizi.

Mfano wa Msimamizi wa Lambda

```python import json

def lambda_handler(event, context): token = event['authorizationToken'] method_arn = event['methodArn']

if not token: return { 'statusCode': 401, 'body': 'Unauthorized' }

try:

Replace this with your own token validation logic

if token == "your-secret-token": return generate_policy('user', 'Allow', method_arn) else: return generate_policy('user', 'Deny', method_arn) except Exception as e: print(e) return { 'statusCode': 500, 'body': 'Internal Server Error' }

def generate_policy(principal_id, effect, resource): policy = { 'principalId': principal_id, 'policyDocument': { 'Version': '2012-10-17', 'Statement': [ { 'Action': 'execute-api:Invoke', 'Effect': effect, 'Resource': resource } ] } } return policy

</details>

Piga simu kama hivi:

<pre class="language-bash" data-overflow="wrap"><code class="lang-bash"><strong>curl "https://jhhqafgh6f.execute-api.eu-west-1.amazonaws.com/prod/custom_auth" -H 'Authorization: your-secret-token'
</strong></code></pre>

<div data-gb-custom-block data-tag="hint" data-style='warning'>

Kulingana na nambari ya Lambda, hii idhini inaweza kuwa na udhaifu

</div>

Tambua kwamba ikiwa **sera ya kukataa inazalishwa na kurudishwa** kosa linalorudishwa na API Gateway ni: `{"Message":"User is not authorized to access this resource with an explicit deny"}`

Hivi unaweza **kutambua idhini hii** ikiwa mahali pake.

### Kitufe cha API Kinachohitajika

Inawezekana kuweka vituo vya API ambavyo **vinahitaji kitufe halali cha API** kuwasiliana nayo.

<figure><img src="../../../.gitbook/assets/image (88).png" alt=""><figcaption></figcaption></figure>

Inawezekana kuzalisha vitufe vya API kwenye lango la API na hata kuweka ni mara ngapi inaweza kutumika (kwa maombi kwa sekunde na kwa maombi kwa mwezi).

Ili kufanya kitufe cha API kifanye kazi, unahitaji kuongeza kwenye **Mpango wa Matumizi**, mpango huu wa matumizi unapaswa kuongezwa kwenye **Hatua ya API** na hatua ya API inayohusiana inahitaji kuwa na **kupunguza kasi kwa njia** kwa **kituo** kinachohitaji kitufe cha API:

<figure><img src="../../../.gitbook/assets/image (198).png" alt=""><figcaption></figcaption></figure>

## Upatikanaji usiothibitishwa

<div data-gb-custom-block data-tag="content-ref" data-url='../aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md'>

[aws-api-gateway-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md)

</div>

## Privesc

<div data-gb-custom-block data-tag="content-ref" data-url='../aws-privilege-escalation/aws-apigateway-privesc.md'>

[aws-apigateway-privesc.md](../aws-privilege-escalation/aws-apigateway-privesc.md)

</div>

## Baada ya Uvamizi

<div data-gb-custom-block data-tag="content-ref" data-url='../aws-post-exploitation/aws-api-gateway-post-exploitation.md'>

[aws-api-gateway-post-exploitation.md](../aws-post-exploitation/aws-api-gateway-post-exploitation.md)

</div>

### Uthabiti

<div data-gb-custom-block data-tag="content-ref" data-url='../aws-persistence/aws-api-gateway-persistence.md'>

[aws-api-gateway-persistence.md](../aws-persistence/aws-api-gateway-persistence.md)

</div>

<details>

<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
PreviousAWS - WAF EnumNextAWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)

Last updated