API Gateway - Security

We will discuss some of interesting security implications to API Gateway.

IP Restriction bypass

Multiple API Gateways can be used to bypass IP restriction. This can be done by routing requests via API Gateway randomly which can easily bypass IP locking and other IP based restrictions.

In this case, user would proxy their request via randomly chosen API Gateway which helps to mask his IP and later send the request to server with IP masked.

Attacking Unauthenticated Public Gateways

Authentication in Public API Gateway doesn't happen by default. So it is completely possible to trigger the API Gateway target from internet if the Gateway is not protected.

Scenario : Initial enumeration uncovered a lambda function which performs special set of instructions on the basis of user input and is triggered by API Gateway. We also found that API Gateway is unauthenticated and public to internet.

Example: Below is the code of lambda function :-

def lambda_handler(event,context):
	......
	argument = event['rawQueryString']
	if argument == "this_is_normal":
		printf("This is lambda")
	elif argument == "this_is_changed":
		printf("Flag: {secuirtylabs_api_gateways}")

Our initial enumeration also discovered the API Endpoint attached with the lambda. API endpoint was found to be https://test123.execute-api.ap-south-1.amazonaws.com/

So in the above case we can manipulate argument field and send a curl request to the target Endpoint.

Request:

curl -X GET https://test123.execute-api.ap-south-1.amazonaws.com/?argument=this_is_changed

In this case making curl request to the endpoint with a specific input helps us get flag.