Amazon API Gateway

API Gateway WAF Disabled

This plug-in protects your APIs from being exploited.

Risk Level: Medium

Description:

This plug-in protects your APIs from being exploited. AWS WAF stands for Web Application Firewall which helps you to configure protocols regulating web-based requests like allowing, blocking, or counting a number of requests. This set of protocols are called the Web Access Control List. The AWS WAF helps in preventing attacks.

About the Service:

API (Application Programming Interface) Gateway is an AWS service that lies between the client and tons of backend services. The actions performed by API Gateways include creating, deploying, and managing RESTful API and WebSocket API.

Impact:

AWS WAF is your first line of defense. It takes precedence over other policies. If WAF is disabled it could lead to API vulnerabilities like SQL injection, Cross-Site Scripting, Server Side Request Forgery, and Remote Code Execution, all of which in turn results in hindrance in API functioning like availability and performance, reduce security, and consumes excess resources.

Steps to reproduce :

  1. Sign-in to AWS management console.
  2. Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/
  3. Open the API listing page by selecting APIs, present in the left navigation panel.
  4. Choose the API you want to examine.
  5. Select Stages to list the created staged for the selected API, in the API submenu.
  6. Select the stage of your choice from the given stages.
  7. Select the Settings option from the dashboard.
  8. In the WAF section check the Web ACL dropdown list. If there is no Web ACL available within the dropdown list, the selected API Gateway API stage is not associated with AWS WAF Web ACL and is vulnerable to exploits.

Steps for remediation :

  1. Sign-in to AWS management console.
  2. Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/
  3. Open the API listing page by selecting APIs, present in the left navigation panel.
  4. Choose the API you want to examine.
  5. Select Stages to list the created staged for the selected API, in the API submenu.
  6. Select the stage you want to configure from the given stages to enable WAF
  7. Select the Settings option from the dashboard.
  8. Click on Create Web ACL link in the AWS WAF section and create your own AWS Web ACL.
  9. Once your WAF Web ACL is created return to the Amazon API Gateway console, select the name of the new ACL from the ACL list, and click Save Changes to associate your Web ACL with the selected API stage. 

References: