HTTP header smuggling attack on AWS API Gateway exposes systems to cache poisoning

Charlie Osborne November 16, 2021 at 11:58 UTC

Updated: November 16, 2021 at 12:00 UTC

New hacking technique could pave the way for more serious attacks

A security researcher explained how a weakness in the Amazon Web Services (AWS) API Gateway could be exploited through an HTTP header smuggling attack.

Daniel Thatcher, researcher and penetration tester at Intruder, said in a blog post dated November 10 that smuggling headers – a relevant new form of request smuggling technique – can be used to disguise in – HTTP request headers from some servers, while keeping them visible to others. .

Tampering with the visibility of requests during a chain of servers can lead to the successful deployment of malicious requests and the contraband of requests. Mismatched requests on primary and front-end servers can potentially force data and secrets to leak, as well as bypass IP restrictions and cache poisoning.

Bypass security checks

The header smuggling method created by Thatcher creates a mutation in a header request designed to be sent to the back-end infrastructure without being processed by a trusted front-end service.

Thatcher says that during the analysis of bug bounty programs, he observed that APIs using the AWS API Gateway allow headers to be smuggled.

If an attacker added characters to a header name after a space, for example by passing to, a mutation occurs, which causes Amazon security checks to be bypassed.

RELATED HTTP / 2 flaws expose organizations to a new wave of request smuggling attacks

Additionally, the header was stripped and rewritten by a front-end server, making it vulnerable to similar tampering – and, therefore, bypassing the IP restrictions of AWS resource policies.

“Back-end servers often rely on front-end servers providing precise information in HTTP request headers,” Thatcher explains. “[To] to provide this information accurately, the front-end servers must filter out the values ​​of these headers supplied by the client, which are unreliable and cannot be trusted.

However, when header smuggling is used, these filters can be avoided and the information can be sent to back-end systems where it is treated as trusted data.

Coordinated disclosure

Thatcher shared his findings with the AWS security team, and the IP bypass issue was quickly resolved.

However, after further testing, the cybersecurity researcher said it was still possible to pass headers to back-end servers using the same mutation method and header, causing an “issue of easily exploitable cache poisoning “.

Learn about the latest hacking techniques

During a penetration test, the researcher also discovered a similar IP restriction bypass issue in AWS Cognito, an application for controlling and accessing AWS resources.

In this case, the vulnerability is considered “very minor” because it allowed attackers to make a total of only 10 forgot password requests before a suspicious IP address was blocked.

Thatcher thanked the AWS team for their quick response, noting that the group is working “very quickly to resolve vulnerabilities given the scale of their infrastructure.”

The daily sip contacted the AWS team. This article will be updated when we get back to you.

ADVISED Node.js was vulnerable to a new technique for smuggling HTTP requests

Comments are closed.