1 Antwort
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
0
You haven't mentioned which type of API Gateway you're using (REST or HTTP).
If using a REST API Gateway you can validate the request including the headers. So to prevent request smuggling you could block requests that have a header where "Transfer-Encoding" is "chunked".
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 10 Monaten
- AWS OFFICIALAktualisiert vor 7 Monaten
- AWS OFFICIALAktualisiert vor 2 Jahren
We also encountered the same issue during a security assessment. It appears that the AWS API gateway inherently drops the Transfer-Encoding header. Consequently, we were unable to implement request validation as suggested or enable WAF on the API gateway and add a rule to block requests with "Transfer-Encoding" set to "chunked". We were unable to find any references indicating that API gateways inherently drop the Transfer-Encoding header.
That's covered on this page in the documentation.