New hacking technique may pave the way for other serious attacks

HTTP header smuggling attack against AWS API Gateway exposes systems to cache poisoning

A security researcher has explained how a weakness in the Amazon Web Services (AWS) API Gateway could be exploited via a HTTP header smuggling attack.

Daniel Thatcher, a researcher and penetration tester at Intruder, said in a blog post dated November 10 that header smuggling – a relevantly new form of request smuggling technique – can be used to hide HTTP request headers from select servers, while keeping them visible to others.

Tampering with the visibility of requests during a server chain can be lead to the successful deployment of malicious requests and request smuggling. Mismatching requests on back and frontend servers can potentially force the leak of data and secrets, as well as IP restriction bypass and cache poisoning.

Bypassing security controls

The header smuggling method created by Thatcher creates a mutation in a header request designed to be sent through to backend infrastructure without being processed by a trusted frontend service.

Thatcher says that while scanning bug bounty programs, he observed that APIs using the AWS API Gateway allowed header smuggling.

If an attacker appended characters to a header name after a space – for example, by switching X-My-Header: test to X-My-Header abcd: test, then a mutation occurs which causes Amazon’s security controls to be circumvented.

RELATED HTTP/2 flaws expose organizations to fresh wave of request smuggling attacks

In addition, the X-Forwarded-For header was being stripped and rewritten by a server on the front end, rendering it susceptible to similar tampering – and, therefore, AWS resource policies IP restriction bypass.

“Backend servers often rely on frontend servers providing accurate information in the HTTP request headers,” Thatcher says. “[To] provide this information accurately, frontend servers must filter out the values of these headers provided by the client, which are untrusted and cannot be relied upon to be accurate.”

However, when header smuggling is employed, these filters can be avoided, and information can be sent to backend systems where it is treated as trusted data.

Coordinated disclosure

Thatcher reported his findings to the AWS security team, and the IP circumvention issue was quickly resolved.

However, upon further testing, the cybersecurity researcher said it was still possible to smuggle headers to backend servers using the same mutation method and the Host header, causing an “easily exploitable cache poisoning issue”.

Read more of the latest hacking techniques

During a penetration test, the researcher also found a similar IP restriction bypass issue in AWS Cognito, an AWS resource access and control application.

In this case, the vulnerability is considered “very minor” as it permitted attackers to make a total of only 10 forgotten password requests before a suspect IP address was blocked.

Thatcher thanked the AWS team for their rapid response, noting that the group is working “very fast to resolve the vulnerabilities considering the scale of their infrastructure”.

The Daily Swig has reached out to the AWS team. This article will be updated when we hear back.

RECOMMENDED Node.js was vulnerable to a novel HTTP request smuggling technique