18 comments

[ 3.3 ms ] story [ 43.1 ms ] thread
$1 removing the slash, $11,999 knowing where to remove the slash from
Don’t vibe code your auth path folks.
Hmmm 12K seems like a bit much, even if it's fintech.

They also didn't mention the company.

The title feels clickbaity as it's not specific to AWS API gateway and instead, the implementation of it.

And who hosts on blogspot...

Interesting story showing how complex todays tech is, and your whole security plan can be compromised by regexp matching rules.
Did you Bypass AWS API Gateway.. or did you bypass it for a company who had their AWS API Gateway misconfigured?
The thing that absolutely should not be vibe coded, especially in fintech.

Turning a $10 bug into a $12K issue and if this was at a big tech company it would be a $120K+ issue.

That's what you get for using Go mux
(comment deleted)
You didn’t break API Gateway or bypass it, you broke the company using incorrect api gateway config.

Your title is clickbait

(comment deleted)
Tbh I always wondered how are we still matching routes using regex and not something like a radix tree? That would eliminate these kinds of issues no?
This is a shocking mistake for a 'fintech' to make. This is supremely basic stuff.