AWS story of a special security issue.
TL;DR I discovered an HTTP Header Smuggling
affecting AWS ELB Cache mechanism;
The Brave team helped triage it,
AWS fixed the issue.
Happily ever after!
A thread 🧵 1/N.
TL;DR I discovered an HTTP Header Smuggling
affecting AWS ELB Cache mechanism;
The Brave team helped triage it,
AWS fixed the issue.
Happily ever after!
A thread 🧵 1/N.
This August @albinowax published research related to
HTTP/2 smuggling vulnerabilities. Most of the research revolves
around fiddling with HTTP/1.1 and HTTP/2 conversion.
Reference:
- portswigger.net/research/http2
- intruder.io/research/pract…
Thread 🧵 2/N.
HTTP/2 smuggling vulnerabilities. Most of the research revolves
around fiddling with HTTP/1.1 and HTTP/2 conversion.
Reference:
- portswigger.net/research/http2
- intruder.io/research/pract…
Thread 🧵 2/N.
A bit of background: HTTP/1.1 is a textual protocol,
HTTP/2 employs binary framing instead.
Reverse proxies are there to enable interoperability between
old protocols and newer and shinier ones;
frequently with catastrophic results.
Thread 🧵 3/N.
HTTP/2 employs binary framing instead.
Reverse proxies are there to enable interoperability between
old protocols and newer and shinier ones;
frequently with catastrophic results.
Thread 🧵 3/N.
Back to the research. Immediately after the publication, I started
fiddling with this particular special security issue family,
but I did not find any vulnerable instance at that time;
back then, I was working in @Doyensec <3.
Thread 🧵 4/N.
fiddling with this particular special security issue family,
but I did not find any vulnerable instance at that time;
back then, I was working in @Doyensec <3.
Thread 🧵 4/N.
In October, I joined @brave security team;
at that time, I was getting up to speed while testing internal apps
that is the core of the Brave web experience.
Thread 🧵 5/N.
at that time, I was getting up to speed while testing internal apps
that is the core of the Brave web experience.
Thread 🧵 5/N.
While testing rate-limiter protection,
I noticed that when forcing HTTP/1 requests and injecting
a space after `X-Forwarded-For` I was able to override this specific
header, letting me impersonate any IP.
Thread 🧵 6/N.
I noticed that when forcing HTTP/1 requests and injecting
a space after `X-Forwarded-For` I was able to override this specific
header, letting me impersonate any IP.
Thread 🧵 6/N.
The END
Or maybe not?
Thread 🧵 7/N.
Or maybe not?
Thread 🧵 7/N.
At that time, I supposed that the reach of this special security issue
was only related to some of our weird reverse proxy configurations.
It was not!
Thread 🧵 8/N.
was only related to some of our weird reverse proxy configurations.
It was not!
Thread 🧵 8/N.
We discovered we could override any internal
header, also the one that should not be exposed/forwarded by the client, such as
`CloudFront-Viewer-Country-Region` or any other `CloudFront` enhanced header.
Thread 🧵 9/N.
header, also the one that should not be exposed/forwarded by the client, such as
`CloudFront-Viewer-Country-Region` or any other `CloudFront` enhanced header.
Thread 🧵 9/N.
We pinpointed the specific vulnerable AWS EC2 Cache setting.
This special security issue was affecting all AWS users with that specific setting enabled.
Thread 🧵 10/N.
This special security issue was affecting all AWS users with that specific setting enabled.
Thread 🧵 10/N.
AWS team helped pinpoint and fix the special security issue promptly! Thanks all!
- 11/24/21 Initial public disclosure
- 11/25/21 AWS started an internal investigation
- 01/29/22 AWS deployed the fix
Thread 🧵 11/N.
- 11/24/21 Initial public disclosure
- 11/25/21 AWS started an internal investigation
- 01/29/22 AWS deployed the fix
Thread 🧵 11/N.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
