medium

ELB Cache mechanism HTTP header smuggling

Published Tue, May 17th, 2022
Platforms

Summary

While testing rate-limiter protection, The researcher noticed that when forcing HTTP/1 requests and injecting a space after `X-Forwarded-For` he was able to override this specific header, letting him impersonate any IP. Any internal header could have beem overridden, also the one that should not be exposed/forwarded by the client, such as `CloudFront-Viewer-Country-Region` or any other `CloudFront` enhanced header. This special security issue was affecting all AWS users with that a specific setting enabled.

Affected Services

ELB

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Sun, Jan 24th, 2021
Exploitablity Period
Fixed on 2022/01/29
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Andrea Brancaleoni, Brave