Kong API Gateway Panel Exposure Scanner

Kong API Gateway is a popular open-source platform for managing APIs and microservices traffic. It is widely used by developers and businesses to route, secure, and manage API requests. The gateway provides high performance with scalability and flexibility in managing APIs across various environments. Organizations use Kong API Gateway to ensure API connectivity while maintaining security and reliability in their APIs' operation. The platform incorporates features like authentication, rate limiting, and logging to provide a comprehensive solution for API management. It serves as a critical component in enabling efficient and secure communication between client applications and backend services.

The vulnerability in focus revolves around the internal status endpoint of Kong API Gateway being publicly accessible. This exposure could be a result of IP restriction bypass through spoofed headers, making internal server metrics easily obtainable. The endpoint reveals various server statistics such as active connections, database access status, memory usage, and more. Such information could be leveraged by attackers to understand the server's functioning and load patterns. By monitoring these metrics, a potential attacker may plan more precise and optimized attacks. The exposure could pose significant risks to server security if left unaddressed.

Technical details of this vulnerability involve the /status endpoint within Kong API Gateway, which can be accessed publicly. Attackers might use this endpoint to extract sensitive details about the server environment by using specific HTTP header manipulations. Vulnerabilities at this endpoint could include exposure of metrics on active connections, database connectivity, and other performance-related statistics. The vulnerability allows for information disclosure through core functionalities of the API Gateway software. A consistent HTTP status code 200 coupled with specific JSON content indicates an active exposure risk at this endpoint. The use of clusterbomb attack techniques might be effective for testing header manipulations.

Exploiting this vulnerability can lead to significant risks due to server information disclosure. Malicious actors may understand the internal metrics and server behavior, facilitating more direct and effective attacks. Attackers could monitor resource usage, predict downtime, or plan attacks to exploit peak traffic times. Unauthorized access to server metrics might also result in unauthorized insight into resource allocation and potential weaknesses. The exposure could act as a stepping stone for further complex attacks, jeopardizing the security and integrity of API services. Addressing this vulnerability is crucial for maintaining a secure API management environment.

REFERENCES

• https://docs.konghq.com/gateway/latest/production/monitoring/status-api/