Writeup: AWS API Gateway header smuggling and cache confusion

securityblog.omegapoint.se

Writeup: AWS API Gateway header smuggling and cache confusion

securityblog.omegapoint.se

Capt. AIn@infosec.pub to

Cloud Security@infosec.pubEnglish · 3 years ago

In this blog, we'll dive deeply into two potential security issues that Omegapoint identified in AWS API Gateway authorizers. We reported these issues to AWS in November 2022 and January 2023. AWS rolled out mitigations to all AWS customer accounts in May 2023.

“This allowed us to completely bypass the application’s tenant isolation and access data from any tenant in the system”

Official announcement from AWS: https://aws.amazon.com/blogs/security/removing-header-remapping-from-amazon-api-gateway-and-notes-about-our-work-with-security-researchers/

You must log in or # to comment.

Chat

Cloud Security@infosec.pub

cloudsecurity@infosec.pub

Create a post

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]

Preventing storms.

Rules

Be excellent to each other!
Use the article title as the submission title. Do not editorialize the title or add your own commentary to the article title.
No vendor spam. Zero tolerance for content marketing.

Visibility: Public

This community can be federated to other instances and be posted/commented in by their users.

6 users / day
6 users / week
6 users / month
6 users / 6 months
1 local subscriber
845 subscribers
22 Posts
0 Comments
Modlog

mods:
0xCBE@infosec.pub