I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty (theguptalog.blogspot.com) 87 points by tjek 1mo ago ↗ HN
[–] tedk-42 1mo ago ↗ Hmmm 12K seems like a bit much, even if it's fintech.They also didn't mention the company.The title feels clickbaity as it's not specific to AWS API gateway and instead, the implementation of it.And who hosts on blogspot...
[–] mapcars 1mo ago ↗ Interesting story showing how complex todays tech is, and your whole security plan can be compromised by regexp matching rules.
[–] sammy2255 1mo ago ↗ Did you Bypass AWS API Gateway.. or did you bypass it for a company who had their AWS API Gateway misconfigured?
[–] rvz 1mo ago ↗ The thing that absolutely should not be vibe coded, especially in fintech.Turning a $10 bug into a $12K issue and if this was at a big tech company it would be a $120K+ issue.
[–] praptak 1mo ago ↗ Appending stuff to bypass blacklists is eternal.My first job, decades ago. I couldn't update something on my laptop because client's gateway blocked `http://foo.com/update.exe`. Guess what, `http://foo.com/update.exe?` worked as a bypass.
[–] me551ah 1mo ago ↗ You didn’t break API Gateway or bypass it, you broke the company using incorrect api gateway config.Your title is clickbait
[–] GeorgeWoff25 1mo ago ↗ The original article post https://vechron.com/2026/04/i-bypassed-aws-api-gateway-auth-...
[–] localhoster 1mo ago ↗ Tbh I always wondered how are we still matching routes using regex and not something like a radix tree? That would eliminate these kinds of issues no?
[–] flumpcakes 1mo ago ↗ This is a shocking mistake for a 'fintech' to make. This is supremely basic stuff.
18 comments
[ 3.3 ms ] story [ 43.1 ms ] threadThey also didn't mention the company.
The title feels clickbaity as it's not specific to AWS API gateway and instead, the implementation of it.
And who hosts on blogspot...
Turning a $10 bug into a $12K issue and if this was at a big tech company it would be a $120K+ issue.
My first job, decades ago. I couldn't update something on my laptop because client's gateway blocked `http://foo.com/update.exe`. Guess what, `http://foo.com/update.exe?` worked as a bypass.
Your title is clickbait