I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty
4 hours ago
- #AWS Vulnerability
- #Bug Bounty
- #API Security
- A fintech's mobile API exhibited a security bypass due to inconsistent path matching and authorization in AWS HTTP API.
- Adding a trailing slash to endpoints (e.g., /v1/accounts/) bypassed JWT validation, returning full account data without proper authentication.
- The vulnerability stemmed from greedy path matching in HTTP API, where auth context was dropped during path rewriting, allowing unauthorized access.
- This bypass also worked on critical endpoints like POST /v1/transfers/, enabling unauthorized wire transfers due to missing user ID validation in the backend.
- The issue was reported and fixed by switching to REST API for stricter path matching and adding user ID validation in Lambdas, resulting in a $12,000 bounty.