Abuse Unauthenticated API to Leak Data

Huge Logistics recently launched a private bug bounty program, allowing trusted security professionals to assess the security of their internal web applications. If you manage to compromise an application, the terms of the program allow you to try and increase your access to other resources. Your scraping of the bug bounty page revealed that a new IP address has been added to the in-scope assets. You've already uncovered a Python script by curling the new IP, which exposes certain secrets. Now it’s time to probe the IP and try to claim a bounty!

• Basic understanding of AWS CLI Commands
• Basic understanding of AWS services
• Familiarity with web reconnaissance
• Familiarity with Git commands

• Identify sentitive information in client-side code
• Pivot to internal network access.
• Abuse API Gateway misconfiguration to leak data
• Learn how the scenario could have been prevented

This lab mirrors a real-world attack scenario, demonstrating how adversaries may exploit API Gateway misconfigurations. Companies driven by pressures to quickly release new features may inadvertently overlook best security practices. For instance, the 2022 T-Mobile breach occurred when attackers exploited an API Gateway endpoint lacking authentication, resulting in unauthorized access to millions of customer records. Similarly, Optus experienced a significant breach via an exposed, unauthenticated test API endpoint, enabling attackers to harvest sensitive data.