New research: AWS API Gateway could be exploited via a HTTP header smuggling attack

Recent research details a method to exploit a security flaw in the Amazon Web Services (AWS) API Gateway through an HTTP header smuggling attack. Pentesting specialist Daniel Thatcher, in charge of the report, points out that a threat actor can use this flaw to hide HTTP request headers from certain servers while keeping them visible to others.

Manipulating the visibility of requests could lead to the successful deployment of malicious requests and the smuggling of requests. Pairing errors on front end and backend servers could force the leakage of potentially sensitive data and information, in addition to circumvention of IP restrictions and attack variants such as cache poisoning.

The attack detailed by the researcher depends on creating a mutation in a specially crafted header request to be sent to the raw backend infrastructure by a reliable frontend service. When analyzing the reward programs, Thatcher mentions having detected that the APIs that used AWS API Gateway would allow the smuggling of headers.

If an attacker could add characters to the name of a header after a space, for example, by changing X-My-Header:test to X-My-Header abcd:test, the mutation is created that would allow evasion of the security controls set by AWS. In addition, a server on the frontend was deleting and rewriting the X-Fordered-For header, becoming vulnerable to similar manipulation, ignoring IP restrictions.

The researcher reported his findings to AWS, whose security teams quickly addressed the IP evasion flaw. However, soon after Thatcher pointed out that it was still possible to deploy header smuggling attacks to backend servers.

During his tests, the researcher also found a similar IP restriction circumvention issue in AWS Cognito, an AWS resource access and control application. In this case, the vulnerability is considered lower risk, as it allowed attackers to make a total of only 10 forgotten password requests before a suspicious IP address was blocked.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.