Handle HTTP Request Smuggling in API Gateway
0
Hello,
I have a spring boot application with api end points exposed. the EC2 is integrated with API Gateway with NLBs and ALBs. My security Team has raised Request Smuggling vulnerability in my API endpoint.
I cannot afford the migration of HTTP 2 migration and I had to continue wit HTTP 1.1 only. Is there any way I can reject the requests in API Gateway validating the headers for Content-length and Transfter-encoding so that the request is not reached to my server.
Tópicos
Idioma
English
feita há 9 meses795 visualizações
1 Resposta
- Mais recentes
- Mais votos
- Mais comentários
0
You haven't mentioned which type of API Gateway you're using (REST or HTTP).
If using a REST API Gateway you can validate the request including the headers. So to prevent request smuggling you could block requests that have a header where "Transfer-Encoding" is "chunked".
Conteúdo relevante
AWS OFICIALAtualizada há 2 anos- AWS OFICIALAtualizada há 7 meses
- AWS OFICIALAtualizada há um ano
- AWS OFICIALAtualizada há 2 anos
We also encountered the same issue during a security assessment. It appears that the AWS API gateway inherently drops the Transfer-Encoding header. Consequently, we were unable to implement request validation as suggested or enable WAF on the API gateway and add a rule to block requests with "Transfer-Encoding" set to "chunked". We were unable to find any references indicating that API gateways inherently drop the Transfer-Encoding header.
That's covered on this page in the documentation.