I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty

https://theguptalog.blogspot.com/2026/04/i-bypassed-aws-api-gateway-auth-with.html

Comments

flumpcakesMay 27, 2026, 8:17 AM
This is a shocking mistake for a 'fintech' to make. This is supremely basic stuff.
me551ahMay 26, 2026, 11:18 AM
You didn’t break API Gateway or bypass it, you broke the company using incorrect api gateway config.

Your title is clickbait

Subdivide8452May 26, 2026, 11:50 AM
I want my 5 minutes back. What an absolute waste of time this was.
praptakMay 26, 2026, 10:47 AM
Appending stuff to bypass blacklists is eternal.

My first job, decades ago. I couldn't update something on my laptop because client's gateway blocked `http://foo.com/update.exe`. Guess what, `http://foo.com/update.exe?` worked as a bypass.

sillysaurusxMay 26, 2026, 11:02 AM
Ah, a rare situation where you have to put your URL in angle brackets for it to be parsed correctly here: <http://foo.com/update.exe?> (Not that it matters in this case. Also I would’ve guessed the angle brackets would disappear, but apparently not.)

[1] https://news.ycombinator.com/formatdoc

elpockoMay 26, 2026, 11:15 AM
A DPI firewall at a place of education had a whitelist of allowed domains that you could connect to from the internal network. One entry in the whitelist was "microsoft.com".

I installed a web proxy on my VPS, which was accessible under a domain name like "computerthings.example", created a subdomain called "microsoft", and voila: "microsoft.computerthings.example" was good enough to match "^microsoft.com.*" and allowed us to bypass the block for the next two years.

A_DuckMay 26, 2026, 10:25 AM
$1 removing the slash, $11,999 knowing where to remove the slash from
dizhnMay 26, 2026, 10:40 AM
At that rate I would remove it from everywhere.
throw1234567891May 26, 2026, 10:52 AM
But do you know where they all are
donalhuntMay 26, 2026, 11:35 AM
No. But my AI agent will happily burn electrons finding some... Maybe...
throw1234567891May 26, 2026, 1:36 PM
Hopefully it doesn’t hallucinate on you.
sammy2255May 26, 2026, 10:31 AM
Did you Bypass AWS API Gateway.. or did you bypass it for a company who had their AWS API Gateway misconfigured?
stuartjohnson12May 26, 2026, 10:37 AM
I hate when people say this, as if there's any world in which I would want my AWS API gateway to do this, let alone accidentally. HTTP is littered with these footguns, differences between slashes and no slashes is a classic. A good piece of software would make it hard to do this by accident, and probably should default to having the same behaviour with or without trailing slash.

Yes yes, I know, folder/file naming convention dating from...

But it's current year now

fiedziaMay 26, 2026, 10:59 AM
> A good piece of software would make it hard to do this by accident, and probably should default to having the same behaviour with or without trailing slash.

Django redirects one version to another by default, which achieves that.

sam_lowry_May 26, 2026, 10:44 AM
HTTP footguns? Meh! I routinely bypass domain blocks by appending a dot to the domain name, e.g. amazon.com.
tedk-42May 26, 2026, 10:29 AM
Hmmm 12K seems like a bit much, even if it's fintech.

They also didn't mention the company.

The title feels clickbaity as it's not specific to AWS API gateway and instead, the implementation of it.

And who hosts on blogspot...

treszkaiMay 26, 2026, 10:47 AM
Yes, it and the other three posts sound positively AI written. The first post on the blog is how OP uploaded a backdoored dataset to HuggingFace and left it there for 6 months – whether made up or not, it doesn't sound great.
sillysaurusxMay 26, 2026, 11:10 AM
Why not?

This is arguing for style over substance. The goal is to explain how a bug impacts the company. Anything that achieves the goal is de facto good. Remember, the alternative is for the company not to be notified at all.

oasisbobMay 26, 2026, 11:30 AM
Style, and the effort an author put into their writing are both legitimate targets of rhetoric, analysis, and criticism.
sillysaurusxMay 26, 2026, 11:45 AM
They got $12k for their work. Their writeup was fine.
hdndjsbbsMay 26, 2026, 11:51 AM
I clicked on the post and immediately bounced off because it was intense slop. Like a high schooler padding out their essay to hit a word count.

I don't care if they got paid for it. It's an interesting misconfiguration that you can describe in one sentence. I don't need to read the corresponding 500 word blog post.

utf_8xMay 26, 2026, 10:44 AM
Considering it let them do an unauthorized wire transfer from a system account, 12k seems pretty reasonable.
QuarrelsomeMay 26, 2026, 10:42 AM
got any more criticisms, font choice, perhaps there's some duplication in their css?

I think 12k could be fine given how much it might have cost them if nobody had noticed.

rithdmcMay 26, 2026, 11:26 AM
Or if someone with malicious intent noticed.
savolaiMay 26, 2026, 10:41 AM
It's not really fair to criticise hosting choice, but this lead me down a rabbit hole.

Noticed that non-responsive blog layouts are rare these days. Most are from blogspot. So I took a look and realized that blogger nowadays actually supports responsive layouts, but apparently... they are not popular?

https://blogger.googleblog.com/2017/03/share-your-unique-sty...

KwpolskaMay 26, 2026, 10:58 AM
Google barely maintains Blogger, and people have old blogs with old templates they never felt the need to change.
varispeedMay 26, 2026, 11:07 AM
Exactly. What do these researchers think? Getting rich finding security flaws? They should get $5 at best, buy themselves chocolate bar and an orange juice and be grateful for the opportunity bestowed upon them by the rich.
paulryanrogersMay 26, 2026, 11:53 AM
OJ here is over $5. Chocolate bars are not far behind. Of course I'm not complaining. Our kleptocrat overlords are doing great works!
GeorgeWoff25May 26, 2026, 11:26 AM
The original article post https://vechron.com/2026/04/i-bypassed-aws-api-gateway-auth-...
localhosterMay 26, 2026, 11:50 AM
Tbh I always wondered how are we still matching routes using regex and not something like a radix tree? That would eliminate these kinds of issues no?
mapcarsMay 26, 2026, 10:30 AM
Interesting story showing how complex todays tech is, and your whole security plan can be compromised by regexp matching rules.
IshKebabMay 26, 2026, 10:29 AM
You could have written this up without using AI and I would have hated it less.
DeebsterMay 26, 2026, 11:28 AM
I have no idea why you think it's written by AI, unless you think that correct use of quote and dash characters means it must be AI.
GrinningFoolMay 26, 2026, 11:51 AM
There are plenty of tells. Quotes and dashes don't even have to enter into it.
elpockoMay 26, 2026, 11:31 AM
Please go away and take your feelings with you.
redroveMay 26, 2026, 10:28 AM
Don’t vibe code your auth path folks.
darkwaterMay 26, 2026, 10:47 AM
Otherwise a security research will vibe-code an exploit and slop out a blog post about it.
brian_hermanMay 26, 2026, 10:41 AM
You deserve the trip, nice find!
rvzMay 26, 2026, 10:41 AM
The thing that absolutely should not be vibe coded, especially in fintech.

Turning a $10 bug into a $12K issue and if this was at a big tech company it would be a $120K+ issue.

anacrolixMay 26, 2026, 10:48 AM
That's what you get for using Go mux
alexpandeyMay 26, 2026, 11:19 AM
[flagged]