frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty

https://theguptalog.blogspot.com/2026/04/i-bypassed-aws-api-gateway-auth-with.html
69•tjek•1h ago

Comments

A_Duck•1h ago
$1 removing the slash, $11,999 knowing where to remove the slash from
dizhn•56m ago
At that rate I would remove it from everywhere.
throw1234567891•44m ago
But do you know where they all are
redrove•1h ago
Don’t vibe code your auth path folks.
darkwater•49m ago
Otherwise a security research will vibe-code and exploit and slop out a blog post about it.
IshKebab•1h ago
You could have written this up without using AI and I would have hated it less.
Deebster•8m ago
I have no idea why you think it's written by AI, unless you think that correct use of quote and dash characters means it must be AI.
elpocko•5m ago
Please go away and take your feelings with you.
tedk-42•1h ago
Hmmm 12K seems like a bit much, even if it's fintech.

They also didn't mention the company.

The title feels clickbaity as it's not specific to AWS API gateway and instead, the implementation of it.

And who hosts on blogspot...

savolai•55m ago
It's not really fair to criticise hosting choice, but this lead me down a rabbit hole.

Noticed that non-responsive blog layouts are rare these days. Most are from blogspot. So I took a look and realized that blogger nowadays actually supports responsive layouts, but apparently... they are not popular?

https://blogger.googleblog.com/2017/03/share-your-unique-sty...

Kwpolska•38m ago
Google barely maintains Blogger, and people have old blogs with old templates they never felt the need to change.
Quarrelsome•55m ago
got any more criticisms, font choice, perhaps there's some duplication in their css?

I think 12k could be fine given how much it might have cost them if nobody had noticed.

rithdmc•10m ago
Or if someone with malicious intent noticed.
utf_8x•53m ago
Considering it let them do an unauthorized wire transfer from a system account, 12k seems pretty reasonable.
treszkai•49m ago
Yes, it and the other three posts sound positively AI written. The first post on the blog is how OP uploaded a backdoored dataset to HuggingFace and left it there for 6 months – whether made up or not, it doesn't sound great.
sillysaurusx•26m ago
Why not?

This is arguing for style over substance. The goal is to explain how a bug impacts the company. Anything that achieves the goal is de facto good. Remember, the alternative is for the company not to be notified at all.

oasisbob•6m ago
Style, and the effort an author put into their writing are both legitimate targets of rhetoric, analysis, and criticism.
varispeed•29m ago
Exactly. What do these researchers think? Getting rich finding security flaws? They should get $5 at best, buy themselves chocolate bar and an orange juice and be grateful for the opportunity bestowed upon them by the rich.
mapcars•1h ago
Interesting story showing how complex todays tech is, and your whole security plan can be compromised by regexp matching rules.
sammy2255•1h ago
Did you Bypass AWS API Gateway.. or did you bypass it for a company who had their AWS API Gateway misconfigured?
stuartjohnson12•59m ago
I hate when people say this, as if there's any world in which I would want my AWS API gateway to do this, let alone accidentally. HTTP is littered with these footguns, differences between slashes and no slashes is a classic. A good piece of software would make it hard to do this by accident, and probably should default to having the same behaviour with or without trailing slash.

Yes yes, I know, folder/file naming convention dating from...

But it's current year now

sam_lowry_•52m ago
HTTP footguns? Meh! I routinely bypass domain blocks by appending a dot to the domain name, e.g. amazon.com.
fiedzia•37m ago
> A good piece of software would make it hard to do this by accident, and probably should default to having the same behaviour with or without trailing slash.

Django redirects one version to another by default, which achieves that.

rvz•55m ago
The thing that absolutely should not be vibe coded, especially in fintech.

Turning a $10 bug into a $12K issue and if this was at a big tech company it would be a $120K+ issue.

brian_herman•55m ago
You deserve the trip, nice find!
praptak•49m ago
Appending stuff to bypass blacklists is eternal.

My first job, decades ago. I couldn't update something on my laptop because client's gateway blocked `http://foo.com/update.exe`. Guess what, `http://foo.com/update.exe?` worked as a bypass.

sillysaurusx•34m ago
Ah, a rare situation where you have to put your URL in angle brackets for it to be parsed correctly here: <http://foo.com/update.exe?> (Not that it matters in this case. Also I would’ve guessed the angle brackets would disappear, but apparently not.)

[1] https://news.ycombinator.com/formatdoc

elpocko•21m ago
A DPI firewall at a place of education had a whitelist of allowed domains that you could connect to from the internal network. One entry in the whitelist was "microsoft.com".

I installed a web proxy on my VPS, which was accessible under a domain name like "computerthings.example", created a subdomain called "microsoft", and voila: "microsoft.computerthings.example" was good enough to match "^microsoft.com.*" and allowed us to bypass the block for the next two years.

anacrolix•48m ago
That's what you get for using Go mux
layer8•36m ago
I wonder if /v1/accounts/index.html would also have worked. ;)
me551ah•18m ago
You didn’t break API Gateway or bypass it, you broke the company using incorrect api gateway config.

Your title is clickbait

GeorgeWoff25•11m ago
The original article post https://vechron.com/2026/04/i-bypassed-aws-api-gateway-auth-...

DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD

https://dynip.dev/
137•dynip•4h ago•55 comments

Using AI to write better code more slowly

https://nolanlawson.com/2026/05/25/using-ai-to-write-better-code-more-slowly/
718•signa11•12h ago•274 comments

I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty

https://theguptalog.blogspot.com/2026/04/i-bypassed-aws-api-gateway-auth-with.html
72•tjek•1h ago•33 comments

Phantasy Star IV – 1993 Developer Interviews

https://shmuplations.com/phantasystariv/
29•speckx•3d ago•5 comments

Taking a walk may lead to more creativity than sitting, study finds (2014)

https://www.apa.org/news/press/releases/2014/04/creativity-walk
342•bilsbie•13h ago•130 comments

The AI bubble isn't like the internet bubble

https://pluralistic.net/2026/05/26/the-ai-will-continue/#until-morale-improves
38•doener•59m ago•35 comments

How Shamir's Secret Sharing Works

https://ente.com/blog/how-shamirs-secret-sharing-works/
227•subract•12h ago•41 comments

Earthion: A New Mega Drive-Style Shoot-Em-Up

https://earthiongame.com/
81•MrBuddyCasino•7h ago•30 comments

A successful Japanese trial of a ramjet engine designed for Mach‑5 aircraft

https://www.bgr.com/2178211/japan-hypersonic-engine-ramjet-2-hour-flights-to-us/
179•rmason•15h ago•135 comments

Ferrari Luce

https://www.ferrari.com/en-EN/auto/ferrari-luce
288•jumploops•14h ago•544 comments

Exit IP VPN servers mitigation rollout

https://mullvad.net/en/help/exit-ip-vpn-servers-mitigation-rollout
370•Cider9986•17h ago•73 comments

Don't put aria-label on generic elements like divs

https://www.matuzo.at/blog/2026/aria-label-generic-elements
4•cyanbane•3d ago•0 comments

What we lost when we stopped letting kids leave the front yard

https://stevemagness.substack.com/p/the-cost-of-safetyism
264•obscurette•21h ago•242 comments

Toshifumi Suzuki, founder of Seven-Eleven Japan, has died

https://www.referenceforbusiness.com/biography/S-Z/Suzuki-Toshifumi-1932.html
215•L_Rahman•19h ago•87 comments

Multimodal adaptive optical microscope: in vivo imaging, molecules to organisms

https://www.nature.com/articles/s41592-026-03066-1
14•bookofjoe•2d ago•0 comments

Motorola phones have started hijacking the Amazon app to insert affiliate codes

https://9to5google.com/2026/05/25/motorola-amazon-app-hijacking-behavior/
207•Cider9986•7h ago•105 comments

California moves to exempt Linux from its age-verification law after backlash

https://www.tomshardware.com/software/linux/california-moves-to-exempt-linux-from-its-upcoming-ag...
907•rbanffy•17h ago•393 comments

Norway's 2 petabytes of Huawei flash storage and LLM training

https://www.blocksandfiles.com/flash/2026/05/22/norways-2-petabytes-of-huawei-flash-storage-and-l...
285•rbanffy•15h ago•185 comments

Hacker News front page as a site

https://thefrontpage.dev/
288•thatxliner•15h ago•81 comments

Squares in Squares

https://kingbird.myphotos.cc/packing/squares_in_squares.html
86•carlos-menezes•1d ago•9 comments

Micropatching Brings the Abandoned Equation Editor Back to Life (2018)

https://blog.0patch.com/2018/01/bringing-abandoned-equation-editor-back.html
33•bariumbitmap•4d ago•8 comments

Magnifica Humanitas

https://www.vatican.va/content/leo-xiv/en/encyclicals/documents/20260515-magnifica-humanitas.html
1449•theletterf•1d ago•827 comments

The User Is Visibly Frustrated

https://pscanf.com/s/354/
174•croes•6h ago•158 comments

Show HN: Write your BPF programs in Go, not C

https://github.com/boratanrikulu/gobee
91•boratanrikulu•4d ago•41 comments

China vs. Taiwan: The Geography of an Unfinished War

https://jstribune.com/china-vs-taiwan-the-geography-of-an-unfinished-war/
5•bryanrasmussen•57m ago•1 comments

What it takes to transpose a matrix

https://gudok.xyz/transpose/
67•tosh•2d ago•9 comments

Nobody cracks open a programming book anymore

https://unix.foo/posts/nobody-cracks-open-a-programming-book/
230•zdw•12h ago•249 comments

Show HN: OpenBrief – Local-first video downloader/summarizer

https://github.com/tantara/openbrief
68•tantara•13h ago•12 comments

Jensen–Shannon Divergence

https://en.wikipedia.org/wiki/Jensen%E2%80%93Shannon_divergence
120•teleforce•3d ago•21 comments

Logseq Doctor: Heal your flat old Markdown files before importing them to Logseq

https://github.com/andreoliwa/logseq-doctor
13•ankitg12•5h ago•1 comments