AWS - API Gateway Unauthenticated Enum

Tip

学习和实践 AWS 黑客技术：HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术：HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术：HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

查看 订阅计划!

加入 💬 Discord 群组 或 Telegram 群组 或在 Twitter 🐦 上关注我们 @hacktricks_live.

通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。

API Invoke bypass

根据演讲 Attack Vectors for APIs Using AWS API Gateway Lambda Authorizers - Alexandre & Leonardo，Lambda Authorizers 可以被配置为 using IAM syntax，以授予调用 API endpoints 的权限。这取自 from the docs:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Permission",
"Action": ["execute-api:Execution-operation"],
"Resource": [
"arn:aws:execute-api:region:account-id:api-id/stage/METHOD_HTTP_VERB/Resource-path"
]
}
]
}

The problem with this way to give permissions to invoke endpoints is that the “*” implies “anything” and there is no more regex syntax supported.

Some examples:

A rule such as arn:aws:execute-apis:sa-east-1:accid:api-id/prod/*/dashboard/* in order to give each user access to /dashboard/user/{username} will give them access to other routes such as /admin/dashboard/createAdmin for example.

Warning

Note that “*” doesn’t stop expanding with slashes, therefore, if you use “*” in api-id for example, it could also indicate “any stage” or “any method” as long as the final regex is still valid.
So arn:aws:execute-apis:sa-east-1:accid:*/prod/GET/dashboard/*
Can validate a post request to test stage to the path /prod/GET/dashboard/admin for example.

You should always have clear what you want to allow to access and then check if other scenarios are possible with the permissions granted.

For more info, apart of the docs, you can find code to implement authorizers in this official aws github.

In the same talk it’s exposed the fact that if the code is using user input to generate the IAM policies, wildcards (and others such as “.” or specific strings) can be included in there with the goal of bypassing restrictions.

Public URL template

https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided}

从公共 API Gateway URL 获取 Account ID

类似于 S3 buckets、Data Exchange 和 Lambda URLs gateways，你可以通过滥用策略中的 aws:ResourceAccount Policy Condition Key，从公共 API Gateway URL 中逐字符枚举出目标 Account ID。
通过在策略的 aws:ResourceAccount 部分滥用通配符逐字符找出账户 ID。\

该技术如果你知道 tag key（存在一些默认的有趣键），也可以获取 标签值。

你可以在 original research 和用于自动化该利用的工具 conditional-love 中找到更多信息。

Tip

学习和实践 AWS 黑客技术：HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术：HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术：HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

查看 订阅计划!

加入 💬 Discord 群组 或 Telegram 群组 或在 Twitter 🐦 上关注我们 @hacktricks_live.

通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。

HackTricks Cloud

AWS - API Gateway Unauthenticated Enum

API Invoke bypass

IAM Policy Injection

Public URL template

从公共 API Gateway URL 获取 Account ID