AWS API Gateway “Header-Smuggling” Flaw Discovered And Fixed

Intruder researcher and penetration tester Daniel Thatcher has disclosed an AWS API Gateway flaw which allowed him to bypass the API Gateway’s IP address restrictions and wage a cache-poisoning attack using so-called HTTP header-smuggling. Yariv Shivek, VP of Product, Neosec had this to say:

     “When working with B2B partners, many companies use IP address whitelisting over the more cumbersome implementation of mTLS (mutual transport layer security). In this case, IP whitelisting was bypassed using request header smuggling.”

     “The bigger picture here is that we keep seeing security controls evaded and bypassed, which in turn speaks to the importance of monitoring API usage.”

     “Since bad actors will eventually get to your APIs and use them, the question then becomes one of visibility: Will you be able to see the abnormal usage patterns in order to shut them down?”

AWS has since fixed the vulnerability, which means that this is no longer exploitable. But it is still a concern that needs to be discussed as these sorts of security issues simply cannot be swept under the rug.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: