Trailing Slash Bypassed AWS Authentication

A simple trailing slash in AWS HTTP API paths allowed attackers to bypass authentication, leading to unauthorized access and financial transactions.

A security researcher discovered a critical vulnerability in AWS API Gateway where adding a trailing slash to an HTTP API path could completely bypass Lambda authorizer authentication. This seemingly minor modification allowed unauthenticated access to protected backend services. The flaw had severe real-world consequences, as it was exploited to execute unauthorized wire transfers at a fintech company, demonstrating the high-stakes nature of the issue. The exploit was possible because of a fundamental inconsistency in how the API Gateway parsed and processed URL paths, creating a security loophole that attackers could easily leverage without needing any special tools or credentials.

The root cause was identified as a path normalization mismatch between the service's routing and authorization layers. The API Gateway's greedy route matching system correctly identified the route even with the trailing slash, but the authorization component failed to apply the intended security policy to the normalized path. This discrepancy caused the system to default to an "allow" state, effectively leaving the endpoint unprotected. This class of vulnerability is not isolated to AWS; a similar issue was recently disclosed in the gRPC-Go library, underscoring a recurring security challenge in modern web services. The incident serves as a critical reminder for developers and security teams to ensure consistent path handling across their entire application stack to prevent such bypasses.

A single character in a URL bypassed a core AWS security feature, leading to real financial theft. It shows how subtle inconsistencies in cloud services can create major, easily exploitable vulnerabilities, impacting any company relying on them for authentication.

The vulnerability enabled direct financial fraud (unauthorized wire transfers), demonstrating a high-risk attack vector for any business using AWS API Gateway for sensitive operations. It erodes trust in managed security services and can lead to significant financial loss, reputational damage, and emergency engineering costs.