I'm currently managing an ECS setup that flows like this: route53 points to CloudFront, which routes `/api` requests to an Application Load Balancer (ALB), and then to an Nginx service on ECS. While this configuration works well from an application standpoint, we've recently been notified about a potential HTTP request smuggling vulnerability. I'm looking for strategies to mitigate this issue. Is switching Nginx to SSL with HTTP/2 the only solution, or are there other options to address this vulnerability?
4 Answers
First off, enabling the 'Drop Invalid Header Fields' feature on your ALB is crucial. Just be careful when you consider setting the ALB's desync mitigation mode to 'strictest'—that could potentially block some legitimate traffic, so it's best to test thoroughly first. Ideally, you're looking to move towards encryption in transit throughout your setup, though keep in mind there may be some risks that come with that. Also, do you have a Web Application Firewall (WAF) in place? It’s important to know how this vulnerability was flagged: was it from manual testing or an automated scan? Understanding whether it's a genuine vulnerability is key.
Doesn't AWS normally reject requests that have both Content-Length and Transfer-Encoding set? That goes against the HTTP spec, right?
Make sure to check your security settings on the ALB. According to the AWS docs, enabling `routing.http.drop_invalid_header_fields` can help combat certain types of smuggling attacks. Plus, you might want to set `routing.http.desync_mitigation_mode` to 'strictest' as well.
A big part of solving this is ensuring that all layers are consistent with how they handle headers. In Nginx, you should disable chunked transfer encoding by setting `chunked_transfer_encoding off;`. Also, reject any requests that simultaneously have both `Content-Length` and `Transfer-Encoding` headers. You could also implement AWS WAF in front of CloudFront to filter out suspicious headers and patterns.
But why disable chunked transfer encoding? That would prevent streaming on the client's end. Just focus on rejecting cases where both headers are present.