Handle HTTP Request Smuggling in API Gateway
0
Hello,
I have a spring boot application with api end points exposed. the EC2 is integrated with API Gateway with NLBs and ALBs. My security Team has raised Request Smuggling vulnerability in my API endpoint.
I cannot afford the migration of HTTP 2 migration and I had to continue wit HTTP 1.1 only. Is there any way I can reject the requests in API Gateway validating the headers for Content-length and Transfter-encoding so that the request is not reached to my server.
Language
English
asked 8 months ago717 views
1 Answer
- Newest
- Most votes
- Most comments
0
You haven't mentioned which type of API Gateway you're using (REST or HTTP).
If using a REST API Gateway you can validate the request including the headers. So to prevent request smuggling you could block requests that have a header where "Transfer-Encoding" is "chunked".
Relevant content
- asked a year ago
- asked 6 days ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
We also encountered the same issue during a security assessment. It appears that the AWS API gateway inherently drops the Transfer-Encoding header. Consequently, we were unable to implement request validation as suggested or enable WAF on the API gateway and add a rule to block requests with "Transfer-Encoding" set to "chunked". We were unable to find any references indicating that API gateways inherently drop the Transfer-Encoding header.
That's covered on this page in the documentation.