Description:

The Application Load Balancer is a feature of Elastic Load Balancing that allows a developer to configure and route incoming end-user traffic to applications based in the AWS public cloud. HTTP request smuggling vulnerabilities arise when the frontend and the backend interpret the boundary of an HTTP request differently causing desynchronization between them. This is due to numerous frontend and backend libraries deviating from RFC specifications when dealing with both the Content-Length and the Transfer-Encoding header.

Therefore, Amazon Elastic Load Balancing (ELB) service introduced the Drop Invalid Header Fields feature (i.e. "routing.http.drop_invalid_header_fields.enabled" flag) to improve security by enabling users to control whether an Application Load Balancer will forward non-standard headers sent in requests by clients to load balancer targets. We are setting drop_invalid_header_fields from false to true prevents HTTP desync attacks

Rationale:

Passing unknown or invalid headers through to the target poses a potential risk of compromise. By setting drop_invalid_header_fields to true, anything that does not conform to well-known, defined headers will be removed by the load balancer.

Impact:

Removing these header values prevents HTTP desync attacks and vulnerabilities.

Default value:

By default application load balancers are not configured to drop invalid HTTP header values. 


Pre-Requisite:

  1. Before implementation, you have at least an Application Load Balancer in your AWS account.

  2. If you have multiple Load Balancer classics and applications both make sure to implement only in the application load balancer

Remediation:

Test Plan:

  1. Sign in to the AWS Management Console.

  2. Navigate to the Amazon EC2 console at https://console.aws.amazon.com/ec2/home

  3. In the left navigation panel, under the LOAD BALANCING section, choose Load Balancers.

  4. Select the Application Load Balancer that you want to examine. An Application Load Balancer (ALB) has the Type attribute value set to the application in the Type column. 

  5. Select the Description tab to access the configuration information available for the selected load balancer. 

  6. In the Attributes section, verify the Drop Invalid Header Fields configuration attribute value. If the Drop Invalid Header Fields attribute value is set to Disabled, the Drop Invalid Header Fields feature is not enabled for the selected Amazon Application Load Balancer (ALB). 

  7. Repeat steps no. 4 – 6 for each Application Load Balancer created within the current AWS region.
  8. Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.



Using AWS CLI:

To describe the Drop Invalid Header Fields feature status, available for the selected load balancer: 

aws elbv2 describe-load-balancer-attributes
--region us-east-1
--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd
--query 'Attributes[?(Key == `routing.http.drop_invalid_header_fields.enabled`)].Value | []'

The command output should return the requested configuration status (true for enabled, false for disabled).

Implementation:

  1. Sign in to the AWS Management Console.

  2. Navigate to the Amazon EC2 console at https://console.aws.amazon.com/ec2/home

  3. In the left navigation panel, under LOAD BALANCING, choose Load Balancers.

  4. Select the Application Load Balancer that you want to configure. 

  5. Select the Description tab and click on the Edit attributes button available in the Attributes section. 

  6. Within the Edit load balancer attributes configuration box, select the Drop Invalid Header Fields configuration checkbox to enable the Drop Invalid Header Fields security feature for the selected Application Load Balancer. Click Save to apply the configuration changes. 

  7. Repeat steps no. 4 – 6 to enable the feature for other Application Load Balancers (ALBs) available within the current AWS region.
  8. Change the AWS cloud region from the navigation bar and repeat the remediation process for other regions.



Using AWS CLI:

To enable the Drop Invalid Header Fields security feature for the selected load balancer: 

aws elbv2 modify-load-balancer-attributes
--region us-east-1
--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd
--attributes Key=routing.http.drop_invalid_header_fields.enabled,Value=true

The command output should return the configuration attributes for the modified Application Load Balancer. 

Backout plan:

  1. Sign in to the AWS Management Console.

  2. Navigate to the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  3. In the left navigation panel, under LOAD BALANCING, choose Load Balancers.

  4. Select the Application Load Balancer that you want to reconfigure.

  5. Select the Description tab and click on the Edit attributes button available in the Attributes section.

  6. Within the Edit load balancer attributes configuration box, select the Drop Invalid Header Fields configuration checkbox to disable the Drop Invalid Header Fields security feature for the selected Application Load Balancer. Click Save to apply the configuration changes.


Using AWS CLI:

To disable the Drop Invalid Header Fields security feature for the selected load balancer set that to False: 

aws elbv2 modify-load-balancer-attributes
--region us-east-1
--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd
--attributes Key=routing.http.drop_invalid_header_fields.enabled,Value=False

References: