I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty

A_Duck

$1 removing the slash, $11,999 knowing where to remove the slash from

redrove

Don’t vibe code your auth path folks.

IshKebab

You could have written this up without using AI and I would have hated it less.

tedk-42

Hmmm 12K seems like a bit much, even if it's fintech. They also didn't mention the company. The title feels clickbaity as it's not specific to AWS API gateway and instead, the implementation of it. And who hosts on blogspot...

mapcars

Interesting story showing how complex todays tech is, and your whole security plan can be compromised by regexp matching rules.

sammy2255

Did you Bypass AWS API Gateway.. or did you bypass it for a company who had their AWS API Gateway misconfigured?

rvz

The thing that absolutely should not be vibe coded, especially in fintech. Turning a $10 bug into a $12K issue and if this was at a big tech company it would be a $120K+ issue.

brian_herman

You deserve the trip, nice find!

praptak

Appending stuff to bypass blacklists is eternal. My first job, decades ago. I couldn't update something on my laptop because client's gateway blocked ` http://foo.com/update.exe `. Guess what, ` http://foo.com/update.exe ?` worked as a bypass.

anacrolix

That's what you get for using Go mux

me551ah

You didn’t break API Gateway or bypass it, you broke the company using incorrect api gateway config. Your title is clickbait

GeorgeWoff25

The original article post https://vechron.com/2026/04/i-bypassed-aws-api-gateway-auth-...

localhoster

Tbh I always wondered how are we still matching routes using regex and not something like a radix tree? That would eliminate these kinds of issues no?