Hey everyone! I'm looking for some advice on how to deal with an HTTP request smuggling vulnerability that was flagged in our ECS setup. Currently, our architecture flows like this: Route53 -> CloudFront -> ALB -> ECS Nginx service, routing all traffic to port 80 on the Nginx service. Everything seems to be working fine application-wise, but now I'm worried about this security issue. Is the only way to fix it to update Nginx for SSL and HTTP/2, or are there other options I can consider? Thanks!
3 Answers
Check if you have your security settings enabled on the ALB. There are attributes like `routing.http.drop_invalid_header_fields.enabled` that can help mitigate some smuggling attacks. You might also consider setting `routing.http.desync_mitigation_mode` to strictest as well, if that's appropriate for your case.
The key here is to ensure that all layers of your setup handle headers consistently. For Nginx, I’d suggest setting `chunked_transfer_encoding off;` and rejecting any requests that include both `Content-Length` and `Transfer-Encoding` headers. Additionally, implementing AWS WAF in front of CloudFront can help you block any suspicious headers or patterns that could be exploited.
First off, make sure to enable the "Drop Invalid Header Fields" on your ALB. That should be your top priority. Just a heads-up, using the strictest mode for the ALB's desync mitigation can block legitimate traffic, so it needs thorough testing before implementation. Ideally, you want to have encryption in transit, but keep in mind that it might introduce some risks down the line. By the way, do you already have a WAF set up? And how was this issue flagged? Manual tests or automated scans? It's important to know if this is a real vulnerability or not.
But why turn off chunked transfer encoding? That can break streaming for clients. It might just be better to reject requests when both headers are present.