Comment on page
Hacking API Gateway
API Gateway is a service that allows developers to create APIs for applications. In addition, it can also be integrated with AWS Services, which can pose a security risk due to possible misconfigurations.
Each API Gateway has a URL called Endpoint which can be used to invoke it.
For example, here endpoint is:
API Gateway configuration for the above endpoint includes a method named
wpeiyqw4dsand a region named
These endpoints can be of 2 types:-
- Private API Endpoint : Accessible from VPC and approved subnets using a VPC interface.
- Public API Endpoints : Accessible from Internet
Users can create their own application flow by using routes in API Gateway. For instance, adding a route for
/applicationindicates that the user can specify the service or resource which will be invoked when request is sent to
As an example, here the route for
/routehas been added, which indicates API Gateway will perform configured action when requests reach the specified path.
Integrations for a API Gateway allows users to configure actions based on specified routes.
The above configuration specifies the integration where any request to
/routeis sent to
https://google.com. Hence, here the route
/routeis having a
Stage is a snapshot of API Gateway which is used to manage and optimize a individual deployment. For instance a single API Gateway can have multiple stages and each stage can have different throttling and monitoring configurations.
Stages in API Gateway can be used to throttle request for a single route for one stage but the same route may work for another stage due to laxed throtteling.
Here we have 2 stages, one is
$defaultwhich is a default stage and is present whenever API Gateway is created. A new custom stage present here is
production_stagewhich has a different endpoint
NOTE: Notice that except path, the domain for any stage remains same.
As informed earlier, an API Gateway can be public or private. Resource policy is optional for public API Gateway but compulsory for private API Gateway since it acts as access control for private API Gateways.
Example resource policy:
This policy reveals that :-
- Effect parameter indicates if the mentioned Principal has Allow or Deny permissions on Resource. Here,
Allowindicates that user Alice can invoke the API Gateway. If Effect was
Deny, then it would have indicated that user Alice is not authorized to invoke the API Gateway.
- Action here indicates the exact permission given to the principal on the Resource. Here
execute-api:Invokesuggests that Alice user is allowed to invoke the API Gateway.
- Principal here indicates the source ARN which is associated with this policy. Here
arn:aws:iam::account-id-2:user/Aliceindicates that Alice user is the one associated with this policy who is being granted access.
- Resource here indicates the route in API gateway which is associated with the policy. In this case Alice can make GET request to
Just looking at the Resouce policy helped us accumulate useful information about target. For instance, we now know a user in target AWS Account, a working route of
/petsand even a stage called
productionwhich can be useful for enumeration purpose.