Average request header size reduced

firetail:average-request-header-size-reduced

Type:

Detection

Rule Severity:

Info

The average request header size during a given period was <= the mean average - one standard deviation of the preceding period.‍

The average request header size has significantly decreased during a given period, falling below the mean average minus one standard deviation from the preceding period. This reduction could indicate several potential causes, such as changes in the client-side application, updates to API endpoints, or possibly malicious behavior. A sudden decrease in header size may also suggest that important authentication, session, or other necessary headers are being omitted or stripped, which could affect the API's functionality and security.

Remediation

Investigate what has caused the request headers sent to this API to decrease significantly in size.

Example Attack Scenario

An attacker may try to exploit the reduction in request headers by intentionally omitting certain headers, such as authentication tokens or session cookies, to bypass security controls. For example:

  • Bypassing Authentication: If an attacker manipulates the headers to exclude an authentication token or session ID, the request may appear as though it is coming from an unauthenticated user. This could allow unauthorized access to sensitive data or functionality that would typically require authentication.
  • Exploitation of Missing Data: If certain headers such as Content-Type are reduced, it could lead to unexpected behavior on the server, such as incorrect processing of data or the execution of unwanted operations, potentially causing vulnerabilities or errors.
  • Denial of Service (DoS): A reduction in headers could also be a tactic to manipulate the behavior of the API, such as causing errors or making the server handle malformed requests that could eventually lead to resource exhaustion.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
AWS ALB should redirect HTTP to HTTPS
Insecure host (OAS2)
Plaintext alternative authentication
GraphQL IDE
AppSync logging is not enabled
AWS ALB has a WAF that is set to fail open