I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty
theguptalog.blogspot.comYou didn’t break API Gateway or bypass it, you broke the company using incorrect api gateway config.
Your title is clickbait
I want my 5 minutes back. What an absolute waste of time this was.
Appending stuff to bypass blacklists is eternal.
My first job, decades ago. I couldn't update something on my laptop because client's gateway blocked `http://foo.com/update.exe`. Guess what, `http://foo.com/update.exe?` worked as a bypass.
A DPI firewall at a place of education had a whitelist of allowed domains that you could connect to from the internal network. One entry in the whitelist was "microsoft.com".
I installed a web proxy on my VPS, which was accessible under a domain name like "computerthings.example", created a subdomain called "microsoft", and voila: "microsoft.computerthings.example" was good enough to match "^microsoft.com.*" and allowed us to bypass the block for the next two years.
Ah, a rare situation where you have to put your URL in angle brackets for it to be parsed correctly here: <http://foo.com/update.exe?> (Not that it matters in this case. Also I would’ve guessed the angle brackets would disappear, but apparently not.)
$1 removing the slash, $11,999 knowing where to remove the slash from
At that rate I would remove it from everywhere.
But do you know where they all are
No. But my AI agent will happily burn electrons finding some... Maybe...
Hopefully it doesn’t hallucinate on you.
Did you Bypass AWS API Gateway.. or did you bypass it for a company who had their AWS API Gateway misconfigured?
I hate when people say this, as if there's any world in which I would want my AWS API gateway to do this, let alone accidentally. HTTP is littered with these footguns, differences between slashes and no slashes is a classic. A good piece of software would make it hard to do this by accident, and probably should default to having the same behaviour with or without trailing slash.
Yes yes, I know, folder/file naming convention dating from...
But it's current year now
> A good piece of software would make it hard to do this by accident, and probably should default to having the same behaviour with or without trailing slash.
Django redirects one version to another by default, which achieves that.
HTTP footguns? Meh! I routinely bypass domain blocks by appending a dot to the domain name, e.g. amazon.com.
Hmmm 12K seems like a bit much, even if it's fintech.
They also didn't mention the company.
The title feels clickbaity as it's not specific to AWS API gateway and instead, the implementation of it.
And who hosts on blogspot...
Yes, it and the other three posts sound positively AI written. The first post on the blog is how OP uploaded a backdoored dataset to HuggingFace and left it there for 6 months – whether made up or not, it doesn't sound great.
Why not?
This is arguing for style over substance. The goal is to explain how a bug impacts the company. Anything that achieves the goal is de facto good. Remember, the alternative is for the company not to be notified at all.
Style, and the effort an author put into their writing are both legitimate targets of rhetoric, analysis, and criticism.
They got $12k for their work. Their writeup was fine.
I clicked on the post and immediately bounced off because it was intense slop. Like a high schooler padding out their essay to hit a word count.
I don't care if they got paid for it. It's an interesting misconfiguration that you can describe in one sentence. I don't need to read the corresponding 500 word blog post.
Considering it let them do an unauthorized wire transfer from a system account, 12k seems pretty reasonable.
got any more criticisms, font choice, perhaps there's some duplication in their css?
I think 12k could be fine given how much it might have cost them if nobody had noticed.
Or if someone with malicious intent noticed.
It's not really fair to criticise hosting choice, but this lead me down a rabbit hole.
Noticed that non-responsive blog layouts are rare these days. Most are from blogspot. So I took a look and realized that blogger nowadays actually supports responsive layouts, but apparently... they are not popular?
https://blogger.googleblog.com/2017/03/share-your-unique-sty...
Google barely maintains Blogger, and people have old blogs with old templates they never felt the need to change.
Exactly. What do these researchers think? Getting rich finding security flaws? They should get $5 at best, buy themselves chocolate bar and an orange juice and be grateful for the opportunity bestowed upon them by the rich.
OJ here is over $5. Chocolate bars are not far behind. Of course I'm not complaining. Our kleptocrat overlords are doing great works!
The original article post https://vechron.com/2026/04/i-bypassed-aws-api-gateway-auth-...
Tbh I always wondered how are we still matching routes using regex and not something like a radix tree? That would eliminate these kinds of issues no?
Interesting story showing how complex todays tech is, and your whole security plan can be compromised by regexp matching rules.
This is a shocking mistake for a 'fintech' to make. This is supremely basic stuff.
The thing that absolutely should not be vibe coded, especially in fintech.
Turning a $10 bug into a $12K issue and if this was at a big tech company it would be a $120K+ issue.
Don’t vibe code your auth path folks.
Otherwise a security research will vibe-code an exploit and slop out a blog post about it.
You deserve the trip, nice find!
That's what you get for using Go mux