Invalid or malformed HTTP headers can be exploited by attackers to bypass security controls, manipulate traffic, or inject malicious payloads. Allowing such headers increases the risk of HTTP smuggling attacks, header injection, and potential backend system vulnerabilities.
When invalid HTTP headers are accepted, it creates opportunities for attackers to exploit ambiguities in header parsing, potentially leading to unauthorized access, data breaches, and service disruptions. Additionally, the lack of header validation can compromise the integrity and security of backend services.
An attacker sends a specially crafted HTTP request with malformed headers to the ALB. The request exploits discrepancies in how the ALB and backend services parse headers, leading to an HTTP smuggling attack. By chaining this exploit, the attacker gains unauthorized access to backend systems or injects malicious payloads into valid requests.
After enabling the Drop Invalid Header Fields setting, the ALB discards any request with malformed headers, effectively neutralizing this attack vector.
