I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty
68 points
by tjek
1 hour ago
| 13 comments
| theguptalog.blogspot.com
| HN
GeorgeWoff25
5 minutes ago
[-]
The original article post https://vechron.com/2026/04/i-bypassed-aws-api-gateway-auth-...
reply
me551ah
12 minutes ago
[-]
You didn’t break API Gateway or bypass it, you broke the company using incorrect api gateway config.

Your title is clickbait

reply
praptak
43 minutes ago
[-]
Appending stuff to bypass blacklists is eternal.

My first job, decades ago. I couldn't update something on my laptop because client's gateway blocked `http://foo.com/update.exe`. Guess what, `http://foo.com/update.exe?` worked as a bypass.

reply
sillysaurusx
29 minutes ago
[-]
Ah, a rare situation where you have to put your URL in angle brackets for it to be parsed correctly here: <http://foo.com/update.exe?> (Not that it matters in this case. Also I would’ve guessed the angle brackets would disappear, but apparently not.)

[1] https://news.ycombinator.com/formatdoc

reply
elpocko
16 minutes ago
[-]
A DPI firewall at a place of education had a whitelist of allowed domains that you could connect to from the internal network. One entry in the whitelist was "microsoft.com".

I installed a web proxy on my VPS, which was accessible under a domain name like "computerthings.example", created a subdomain called "microsoft", and voila: "microsoft.computerthings.example" was good enough to match "^microsoft.com.*" and allowed us to bypass the block for the next two years.

reply
A_Duck
1 hour ago
[-]
$1 removing the slash, $11,999 knowing where to remove the slash from
reply
dizhn
50 minutes ago
[-]
At that rate I would remove it from everywhere.
reply
throw1234567891
39 minutes ago
[-]
But do you know where they all are
reply
sammy2255
1 hour ago
[-]
Did you Bypass AWS API Gateway.. or did you bypass it for a company who had their AWS API Gateway misconfigured?
reply
stuartjohnson12
54 minutes ago
[-]
I hate when people say this, as if there's any world in which I would want my AWS API gateway to do this, let alone accidentally. HTTP is littered with these footguns, differences between slashes and no slashes is a classic. A good piece of software would make it hard to do this by accident, and probably should default to having the same behaviour with or without trailing slash.

Yes yes, I know, folder/file naming convention dating from...

But it's current year now

reply
fiedzia
32 minutes ago
[-]
> A good piece of software would make it hard to do this by accident, and probably should default to having the same behaviour with or without trailing slash.

Django redirects one version to another by default, which achieves that.

reply
sam_lowry_
47 minutes ago
[-]
HTTP footguns? Meh! I routinely bypass domain blocks by appending a dot to the domain name, e.g. amazon.com.
reply
tedk-42
1 hour ago
[-]
Hmmm 12K seems like a bit much, even if it's fintech.

They also didn't mention the company.

The title feels clickbaity as it's not specific to AWS API gateway and instead, the implementation of it.

And who hosts on blogspot...

reply
treszkai
44 minutes ago
[-]
Yes, it and the other three posts sound positively AI written. The first post on the blog is how OP uploaded a backdoored dataset to HuggingFace and left it there for 6 months – whether made up or not, it doesn't sound great.
reply
sillysaurusx
21 minutes ago
[-]
Why not?

This is arguing for style over substance. The goal is to explain how a bug impacts the company. Anything that achieves the goal is de facto good. Remember, the alternative is for the company not to be notified at all.

reply
oasisbob
56 seconds ago
[-]
Style, and the effort an author put into their writing are both legitimate targets of rhetoric, analysis, and criticism.
reply
utf_8x
47 minutes ago
[-]
Considering it let them do an unauthorized wire transfer from a system account, 12k seems pretty reasonable.
reply
Quarrelsome
49 minutes ago
[-]
got any more criticisms, font choice, perhaps there's some duplication in their css?

I think 12k could be fine given how much it might have cost them if nobody had noticed.

reply
rithdmc
4 minutes ago
[-]
Or if someone with malicious intent noticed.
reply
savolai
50 minutes ago
[-]
It's not really fair to criticise hosting choice, but this lead me down a rabbit hole.

Noticed that non-responsive blog layouts are rare these days. Most are from blogspot. So I took a look and realized that blogger nowadays actually supports responsive layouts, but apparently... they are not popular?

https://blogger.googleblog.com/2017/03/share-your-unique-sty...

reply
Kwpolska
32 minutes ago
[-]
Google barely maintains Blogger, and people have old blogs with old templates they never felt the need to change.
reply
varispeed
23 minutes ago
[-]
Exactly. What do these researchers think? Getting rich finding security flaws? They should get $5 at best, buy themselves chocolate bar and an orange juice and be grateful for the opportunity bestowed upon them by the rich.
reply
layer8
30 minutes ago
[-]
I wonder if /v1/accounts/index.html would also have worked. ;)
reply
mapcars
1 hour ago
[-]
Interesting story showing how complex todays tech is, and your whole security plan can be compromised by regexp matching rules.
reply
brian_herman
49 minutes ago
[-]
You deserve the trip, nice find!
reply
redrove
1 hour ago
[-]
Don’t vibe code your auth path folks.
reply
darkwater
44 minutes ago
[-]
Otherwise a security research will vibe-code and exploit and slop out a blog post about it.
reply
rvz
50 minutes ago
[-]
The thing that absolutely should not be vibe coded, especially in fintech.

Turning a $10 bug into a $12K issue and if this was at a big tech company it would be a $120K+ issue.

reply
IshKebab
1 hour ago
[-]
You could have written this up without using AI and I would have hated it less.
reply
Deebster
3 minutes ago
[-]
I have no idea why you think it's written by AI, unless you think that correct use of quote and dash characters means it must be AI.
reply
elpocko
31 seconds ago
[-]
Please go away and take your feelings with you.
reply
anacrolix
43 minutes ago
[-]
That's what you get for using Go mux
reply