I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty

https://theguptalog.blogspot.com/2026/04/i-bypassed-aws-api-gateway-auth-with.html

24•tjek•48m ago

Comments

A_Duck•32m ago

$1 removing the slash, $11,999 knowing where to remove the slash from

dizhn•16m ago

At that rate I would remove it from everywhere.

throw1234567891•5m ago

But do you know where they all are

redrove•29m ago

Don’t vibe code your auth path folks.

darkwater•10m ago

Otherwise a security research will vibe-code and exploit and slop out a blog post about it.

IshKebab•28m ago

You could have written this up without using AI and I would have hated it less.

tedk-42•27m ago

Hmmm 12K seems like a bit much, even if it's fintech.

They also didn't mention the company.

The title feels clickbaity as it's not specific to AWS API gateway and instead, the implementation of it.

And who hosts on blogspot...

savolai•15m ago

It's not really fair to criticise hosting choice, but this lead me down a rabbit hole.

Noticed that non-responsive blog layouts are rare these days. Most are from blogspot. So I took a look and realized that blogger nowadays actually supports responsive layouts, but apparently... they are not popular?

https://blogger.googleblog.com/2017/03/share-your-unique-sty...

Quarrelsome•15m ago

got any more criticisms, font choice, perhaps there's some duplication in their css?

I think 12k could be fine given how much it might have cost them if nobody had noticed?

utf_8x•13m ago

Considering it let them do an unauthorized wire transfer from a system account, 12k seems pretty reasonable.

treszkai•9m ago

Yes, it and the other three posts sound positively AI written. The first post on the blog is how OP uploaded a backdoored dataset to HuggingFace and left it there for 6 months – whether made up or not, it doesn't sound great.

mapcars•26m ago

Interesting story showing how complex todays tech is, and your whole security plan can be compromised by regexp matching rules.

sammy2255•25m ago

Did you Bypass AWS API Gateway.. or did you bypass it for a company who had their AWS API Gateway misconfigured?

stuartjohnson12•20m ago

I hate when people say this, as if there's any world in which I would want my AWS API gateway to do this, let alone accidentally. HTTP is littered with these footguns, differences between slashes and no slashes is a classic. A good piece of software would make it hard to do this by accident, and probably should default to having the same behaviour with or without trailing slash.

Yes yes, I know, folder/file naming convention dating from...

But it's current year now

sam_lowry_•13m ago

HTTP footguns? Meh! I routinely bypass domain blocks by appending a dot to the domain name, e.g. amazon.com.

rvz•16m ago

The thing that absolutely should not be vibe coded, especially in fintech.

Turning a $10 bug into a $12K issue and if this was at a big tech company it would be a $120K+ issue.

brian_herman•15m ago

You deserve the trip, nice find!

praptak•9m ago

Appending stuff to bypass blacklists is eternal.

My first job, decades ago. I couldn't update something on my laptop because client's gateway blocked `http://foo.com/update.exe`. Guess what, `http://foo.com/update.exe?` worked as a bypass.

anacrolix•9m ago

That's what you get for using Go mux

Daily Murder: a daily whodunit puzzle solved by logic on an elimination grid

My Favorite Fable

Skill to Income Mapping Engine

Study: AI is helping to develop new gallium-based semiconductor

Netherlands blocks U.S. takeover of DigiD operator Solvinity

IT Doesn't Matter [pdf]

DBase is back, sort-of... Error: database not found

Show HN: High-performance parallel save/load for large NumPy

Steve Jobs MIT Sloan Distinguished Speaker Series (1992)

"Peak Civilization": The Fall of the Roman Empire (2009)

China vs. Taiwan: The Geography of an Unfinished War

The AI bubble isn't like the internet bubble

Sparse Autoencoders Reveal Cortical Brain-LLM Semantic Mapping

BBC program on wave-powered boats [video]

Microsoft and Uber Are Running into an AI Cost Problem

StyloBot- Open Source self hosted behavioural bot protection

Benchmarking Vortex File Format vs. Parquet, CSV vs. DuckDB, Polars, Datafusion

Raft Consensus with a Minority of Nodes

Delta Brain Sync · Streamlit

Solar, wind and batteries push down electricity bills for homes and business

EU plans to fine Google high triple-digit million euro sum, Handelsblatt reports

PHP – simple way to send HTTP headers before a script ends

Terjangkau: Neighborhood Explorer

Prompter – Compare and benchmark Ollama models side-by-side in your terminal

Show HN: Self-managing codebase with long-horizon agents

"Long-Term Support" doesn't mean what you think

Five foundations for building complex Ruby on Rails apps

Tools and skills for humans and agents to review via Magnifica Humanitas

NL govt blocks DigiD takeover by solvinity

Show HN: Judicex – Open-source legal AI that abstains instead of hallucinating