low

AWS API Gateway HTTP header smuggling

Published Wed, Nov 10th, 2021

Platforms

Summary

A flaw in AWS API Gateway enabled hiding HTTP request headers. Tampering with HTTP requests visibility enabled bypassing IP restrictions, cache poisoning and request smuggling.

Affected Services

API Gateway

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://www.intruder.io/research/practical-http-header-smuggling

Contributed by https://github.com/a10ns

Entry Status

Finalized

Disclosure Date

Wed, Nov 10th, 2021

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Daniel Thatcher, intruder

More vulnerabilities...

low

AWS API Gateway HTTP header smuggling

A flaw in AWS API Gateway enabled hiding HTTP request headers. Tampering with HTTP requests visibility enabled bypassing IP restrictions, cache poisoning and request smuggling.

Daniel Thatcher, intruder

Wed, Nov 10th, 2021

low

AWS API Gateway HTTP header smuggling

A flaw in AWS API Gateway enabled hiding HTTP request headers. Tampering with HTTP requests visibility enabled bypassing IP restrictions, cache poisoning and request smuggling.

Daniel Thatcher, intruder

Wed, Nov 10th, 2021

low

AWS API Gateway HTTP header smuggling

A flaw in AWS API Gateway enabled hiding HTTP request headers. Tampering with HTTP requests visibility enabled bypassing IP restrictions, cache poisoning and request smuggling.

Daniel Thatcher, intruder

Wed, Nov 10th, 2021

View all