QotNews
Hacker News, Reddit, Lobsters, and Tildes articles rendered in reader mode.

I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty

View article
87 points by tjek 8 hours ago on hackernews | 39 comments

A_Duck | 7 hours ago

$1 removing the slash, $11,999 knowing where to remove the slash from

dizhn | 7 hours ago

At that rate I would remove it from everywhere.

throw1234567891 | 7 hours ago

But do you know where they all are

donalhunt | 6 hours ago

No. But my AI agent will happily burn electrons finding some... Maybe...

throw1234567891 | 4 hours ago

Hopefully it doesn’t hallucinate on you.

redrove | 7 hours ago

Don’t vibe code your auth path folks.

darkwater | 7 hours ago

Otherwise a security research will vibe-code an exploit and slop out a blog post about it.

IshKebab | 7 hours ago

You could have written this up without using AI and I would have hated it less.

Deebster | 6 hours ago

I have no idea why you think it's written by AI, unless you think that correct use of quote and dash characters means it must be AI.

GrinningFool | 6 hours ago

There are plenty of tells. Quotes and dashes don't even have to enter into it.

elpocko | 6 hours ago

Please go away and take your feelings with you.

tedk-42 | 7 hours ago

Hmmm 12K seems like a bit much, even if it's fintech.

They also didn't mention the company.

The title feels clickbaity as it's not specific to AWS API gateway and instead, the implementation of it.

And who hosts on blogspot...

savolai | 7 hours ago

It's not really fair to criticise hosting choice, but this lead me down a rabbit hole.

Noticed that non-responsive blog layouts are rare these days. Most are from blogspot. So I took a look and realized that blogger nowadays actually supports responsive layouts, but apparently... they are not popular?

https://blogger.googleblog.com/2017/03/share-your-unique-sty...

Kwpolska | 7 hours ago

Google barely maintains Blogger, and people have old blogs with old templates they never felt the need to change.

Quarrelsome | 7 hours ago

got any more criticisms, font choice, perhaps there's some duplication in their css?

I think 12k could be fine given how much it might have cost them if nobody had noticed.

rithdmc | 6 hours ago

Or if someone with malicious intent noticed.

utf_8x | 7 hours ago

Considering it let them do an unauthorized wire transfer from a system account, 12k seems pretty reasonable.

treszkai | 7 hours ago

Yes, it and the other three posts sound positively AI written. The first post on the blog is how OP uploaded a backdoored dataset to HuggingFace and left it there for 6 months – whether made up or not, it doesn't sound great.

sillysaurusx | 7 hours ago

Why not?

This is arguing for style over substance. The goal is to explain how a bug impacts the company. Anything that achieves the goal is de facto good. Remember, the alternative is for the company not to be notified at all.

oasisbob | 6 hours ago

Style, and the effort an author put into their writing are both legitimate targets of rhetoric, analysis, and criticism.

sillysaurusx | 6 hours ago

They got $12k for their work. Their writeup was fine.

hdndjsbbs | 6 hours ago

I clicked on the post and immediately bounced off because it was intense slop. Like a high schooler padding out their essay to hit a word count.

I don't care if they got paid for it. It's an interesting misconfiguration that you can describe in one sentence. I don't need to read the corresponding 500 word blog post.

varispeed | 7 hours ago

Exactly. What do these researchers think? Getting rich finding security flaws? They should get $5 at best, buy themselves chocolate bar and an orange juice and be grateful for the opportunity bestowed upon them by the rich.

paulryanrogers | 6 hours ago

OJ here is over $5. Chocolate bars are not far behind. Of course I'm not complaining. Our kleptocrat overlords are doing great works!

mapcars | 7 hours ago

Interesting story showing how complex todays tech is, and your whole security plan can be compromised by regexp matching rules.

sammy2255 | 7 hours ago

Did you Bypass AWS API Gateway.. or did you bypass it for a company who had their AWS API Gateway misconfigured?

stuartjohnson12 | 7 hours ago

I hate when people say this, as if there's any world in which I would want my AWS API gateway to do this, let alone accidentally. HTTP is littered with these footguns, differences between slashes and no slashes is a classic. A good piece of software would make it hard to do this by accident, and probably should default to having the same behaviour with or without trailing slash.

Yes yes, I know, folder/file naming convention dating from...

But it's current year now

sam_lowry_ | 7 hours ago

HTTP footguns? Meh! I routinely bypass domain blocks by appending a dot to the domain name, e.g. amazon.com.

fiedzia | 7 hours ago

> A good piece of software would make it hard to do this by accident, and probably should default to having the same behaviour with or without trailing slash.

Django redirects one version to another by default, which achieves that.

rvz | 7 hours ago

The thing that absolutely should not be vibe coded, especially in fintech.

Turning a $10 bug into a $12K issue and if this was at a big tech company it would be a $120K+ issue.

brian_herman | 7 hours ago

You deserve the trip, nice find!

praptak | 7 hours ago

Appending stuff to bypass blacklists is eternal.

My first job, decades ago. I couldn't update something on my laptop because client's gateway blocked `http://foo.com/update.exe`. Guess what, `http://foo.com/update.exe?` worked as a bypass.

sillysaurusx | 7 hours ago

Ah, a rare situation where you have to put your URL in angle brackets for it to be parsed correctly here: <http://foo.com/update.exe?> (Not that it matters in this case. Also I would’ve guessed the angle brackets would disappear, but apparently not.)

[1] https://news.ycombinator.com/formatdoc

elpocko | 7 hours ago

A DPI firewall at a place of education had a whitelist of allowed domains that you could connect to from the internal network. One entry in the whitelist was "microsoft.com".

I installed a web proxy on my VPS, which was accessible under a domain name like "computerthings.example", created a subdomain called "microsoft", and voila: "microsoft.computerthings.example" was good enough to match "^microsoft.com.*" and allowed us to bypass the block for the next two years.

anacrolix | 7 hours ago

That's what you get for using Go mux

me551ah | 7 hours ago

You didn’t break API Gateway or bypass it, you broke the company using incorrect api gateway config.

Your title is clickbait

Subdivide8452 | 6 hours ago

I want my 5 minutes back. What an absolute waste of time this was.

GeorgeWoff25 | 6 hours ago

The original article post https://vechron.com/2026/04/i-bypassed-aws-api-gateway-auth-...

localhoster | 6 hours ago

Tbh I always wondered how are we still matching routes using regex and not something like a radix tree? That would eliminate these kinds of issues no?