Application Load Balancer Has Invalid Desync Mitigation Mode

Overview

Check if the Application Load Balancer is set to employ either a defensive or the strictest desync mitigation mode. If not, check whether it is configured with the "drop_invalid_header_fields" attribute enabled. HTTP Desync problems can potentially result in request smuggling, leaving your applications susceptible to request queue or cache poisoning, which, in turn, could lead to credential compromise or the execution of unauthorized commands. It is advisable to make sure that the Application Load Balancer is configured with either defensive or strict desync mitigation modes, or that the "drop_invalid_header_fields" attribute is activated.

Vendor

AWS

Cloud Service

ELBv2

References

https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-12

Severity

Item Types

AWS::ElasticLoadBalancingV2::LoadBalancer

Overview​

Vendor​

Cloud Service​

References​

Severity​

Item Types​