Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why is a request with URL containing ../../../ rejected with 400 by Application Load Balancer?

0

I have an Angular webapp talking to a .NET backend. One of my endpoints takes a user defined id as part of the URL, i.e. /owner/config/{id}

When testing locally on my PC, this all works exactly as expected, but when deployed to AWS (ECS) I am getting some URLs rejected, but only with specific configurations of id's. The requests appear to be getting rejected by the Application Load Balancer as the log shows they are not forwarded to the target.

Note, I URI encode the id component to cater for reserved characters such as /

I have enabled the load balancer logs and see some unexpected behaviour.

idLogged RequestStatus code
testGET https://client.mydomain.com:443/owner/config/test HTTP/2.0200
../../testGET https://client.mydomain.com:443/owner/config/..%2F..%2Ftest HTTP/2.0200
../../../testGET https://client.mydomain.com:443- HTTP/2.0400

The requests with two sets of ../ work fine, but with three the log shows a - for the subdirectory part of the url and returns a 400. As far as I can tell, the URL is correctly formed.

The load balancer listener rules are very simple, it checks the "HTTP Host Header" matches "client.mydomain.com" and forwards it to the AWS target group. There is a default rule to return 503 if no other rules are matched, so it's not hitting that.

I have also tested from Postman to rule out any Angular peculiarities but get the same results. I've tried manually encoding the "periods" to %2E, but this had no effect either.

Topics
Networking & Content Delivery
Tags
Application Load BalancerNetworking & Content Delivery
Language
English
asked 2 years ago702 views
5 Answers
0

What's the full request path you're sending in the third scenario? If it's /owner/config/../../../test then you're trying to backtrack from the root level, after the first ".." removed "config" and the second removed "owner", making the request not valid.

EXPERT
answered 2 years ago
0

the full request path is https://client.mydomain.com:443/owner/config/..%2f..%2F..%2Ftest I would expect AWS not to treat this as a backtrack as it is URI encoded.

If I only have two ../ in the path, e.g. https://client.mydomain.com:443/owner/config/..%2F..%2Ftest it hits my service at the correct endpoint, so appears not to have gone back two steps.

answered 2 years ago
0

The ALB won't modify the path, so if the request is allowed to pass through, it's up to the target application or middleware to decide how to interpret the encoded slashes and ".." path elements.

I believe backtracking three levels when there are only two in the path is the reason the request is being considered as invalid. You could try setting "routing.http.desync_mitigation_mode" on the ALB to "monitor" (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#load-balancer-attributes) to minimise the number of validation tests the ALB performs. I'm not sure if it affects the path parsing behaviour, but that's easy to test. In the console, it's on the "Attributes" tab of the load balancer's settings with the name "Desync mitigation mode".

EXPERT
answered 2 years ago
0

Thank you for the info. I have just tried changing the desync_mitigation_mode to "monitor" and it still fails with the same issue. I'm not sure how to work around this, I guess either limit my UI to prevent entry of an invalid id, or base64 encode the id

answered 2 years ago
0

Too bad it didn't help. I don't believe there's anything more about ALB's request validation rules that can be relaxed. The workaround you described of encoding the value in Base64 would certainly avoid having the ALB parse it as a directory structure.

EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content