Fluid Attacks Database

Description

Detects when an AWS API Gateway method is configured to accept ALL HTTP methods through the 'ANY' method setting. This creates overly permissive API endpoints that could allow attackers to use unexpected HTTP methods, potentially bypassing security controls or accessing unintended functionality.

Weakness:

044 - Insecure HTTP methods enabled

Category: Protocol Manipulation

Detection Strategy

• Examines AWS API Gateway method resources in Terraform configuration files

• Identifies method configurations where 'http_method' is set to 'ANY'

• Reports a vulnerability when an API Gateway method allows all HTTP methods instead of explicitly limiting to required methods

Vulnerable code example

resource "aws_api_gateway_method" "vulnerable_example" {
  rest_api_id = aws_api_gateway_rest_api.example.id
  resource_id = aws_api_gateway_resource.example.id
  http_method = "ANY"  # VULNERABLE: Using "ANY" allows all HTTP methods, increasing attack surface
}

✅ Secure code example

resource "aws_api_gateway_method" "secure_example" {
  rest_api_id = aws_api_gateway_rest_api.example.id
  resource_id = aws_api_gateway_resource.example.id
  http_method = "GET"  # Only allow specific HTTP methods needed for functionality
  authorization = "AWS_IAM"  # Enable IAM authorization for access control
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.