AWS ALB has insecure desync mitigation mode

firetail:aws-alb-desync-not-defensive-or-strictiest

Type:

CSPM

Rule Severity:

Info

The AWS Application Load Balancer (ALB) is not configured with an adequate desync mitigation mode.

This leaves it vulnerable to HTTP request smuggling attacks. These attacks exploit inconsistencies in how HTTP requests are parsed and can allow attackers to bypass security controls, inject malicious payloads, or compromise backend systems. An insecure desync mitigation mode increases the risk of malicious actors exploiting your Application Load Balancer to execute HTTP desync attacks. These can lead to unauthorized access, data breaches, service disruptions, or manipulation of traffic flows.

Remediation

Reconfigure the Application Load Balancer to use either the defensive or strictest desync mitigation mode to protect against potential HTTP desynchronization vulnerabilities. These settings ensure the ALB handles HTTP requests securely and minimizes parsing discrepancies.

Example Attack Scenario

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Missing content-type header
Basic Authentication found in logs
Undefined integer format
AppSync GraphQL API query depth limit not set
API key in query string
Plaintext negotiated authentication