By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

GlobalAccelerator+ALB: internal name disclosure vulnerability?

0

Hi, we have a Global Accelerator in front of a private ALB as unique entry point for our applications. We noticed that, under some circumstances, the internal ALB name can be revealed:

$ telnet 3.xxx.yyy.41 80
Trying 3.xxx.yyy.41...
Connected to 3.xxx.yyy.41.
Escape character is '^]'.
GET /images HTTP/1.0

HTTP/1.1 301 Moved Permanently
Server: awselb/2.0
Date: Thu, 18 May 2023 08:54:23 GMT
Content-Type: text/html
Content-Length: 134
Connection: close
Location: https://internal-konvoy-prod-alb-xxxxxyyyyyyzzzz.eu-south-1.elb.amazonaws.com:443/images

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
</body>
</html>
Connection closed by foreign host.

or:

$ curl -v -0 -H "Host:" http://3.xxx.yyy.41/images
*   Trying 3.xxx.yyy.41:80...
* TCP_NODELAY set
* Connected to 3.xxx.152.41 (3.xxx.yyy.41) port 80 (#0)
> GET /images HTTP/1.0
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Server: awselb/2.0
< Date: Thu, 18 May 2023 09:00:53 GMT
< Content-Type: text/html
< Content-Length: 134
< Connection: close
< Location: https://internal-konvoy-prod-alb-xxxxxyyyyyyzzzz.eu-south-1.elb.amazonaws.com:443/images
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
</body>
</html>
* Closing connection

As far as I know, this is a security vulnerability classified as CVE-2000-0649 and, in general, a bad practice.

Topics
Networking & Content Delivery
Tags
AWS Global Accelerator
Language
English
mimmus
asked a year ago325 views
1 Answer
2
Accepted Answer

The scenario you've described indeed exposes the internal ALB name in the 'Location' header when a 301 redirect is issued. While not a critical vulnerability, it provides unnecessary information that could potentially be used in sophisticated attacks.

This seems to be the default behavior of ALB when handling redirects. To mitigate this, you have a few options:

ALB Listener Rule: Add a Listener Rule on your ALB to handle the HTTP to HTTPS redirection, instead of having your backend do it. This way, the ALB name should not be exposed in the location header.

Lambda@Edge: Use Lambda@Edge on CloudFront to modify the headers to strip out any sensitive information.

Nginx Proxy: If you're using an Nginx server, you can use it as a proxy and modify the 'Location' header to avoid exposing the internal hostname.

profile picture
EXPERT
Sedat Salman
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content