A Confused Deputy Vulnerability in AWS AppSync

We discussed this vulnerability during Episode 169 on 21 November 2022

Bypassing an authentication check in AWS AppSync by changing the case of a JSON key.

Its a common trick but its amazing to see it somewhere so sensitive. Within AppSync you have to create a role that the AppSync service will impersonate that gives it access to whatever it needs. The developer then creates the datasource and gives AWS the Amazon Resource Name (ARN) for the role. At that time it validates that the ARN belongs to the same AWS account, if not it won’t create the data source.

In doing this validation though when sending a JSON API request it looks for the serviceRoleArn key. If someone were to send servicerolearn (all lower-case) the check would be bypassed and one could add an ARN belonging to any AWS account and access the data source.

This does rely on knowing the ARN that will explicitly allow the AppSync service to impersonate it which may be a bit of an ask.