Trailing slash bypasses AWS API Gateway auth: $12K bug bounty from fintech
By
tjek
5d ago· 3 min readenInsight
75/100
Toasty
Bagelometer↗
Crispy enough to crunch, soft enough to enjoy. A good bake.
Score75TypeanalysisSentimentneutral
Summary
A security researcher discovered a critical authentication bypass vulnerability in a fintech company's AWS HTTP API. The issue: adding a trailing slash to API endpoints (e.g., /v1/accounts/ instead of /v1/accounts) completely bypassed the Lambda authorizer's JWT/Cognito authentication, returning full account data with a 200 status instead of 401. The root cause was a mismatch between the OpenAPI route definitions (which didn't include trailing slash variants) and how AWS HTTP API Gateway handled requests. The researcher responsibly disclosed the flaw and received a $12,000 bug bounty.
Key quotes
· 3 pulledGET /v1/accounts returned 401. GET /v1/accounts/ returned 200 with full account data. One character. Completely different security posture.
Lambda authorizer checked a JWT against Cognito, returned an IAM policy. Standard.
The API ran on AWS HTTP API — the newer, cheaper alternative to REST API.
I was poking at a fintech’s mobile API and noticed something that made no sense. GET /v1/accounts returned 401. GET /v1/accounts/ returned...
