Injection via invalid HTTP headers forwarded in AWS ALB configuration

Medium Risk injection

awsalbload-balancerhttp-headersinjectionsecurity-bypasscache-poisoning

What it is

Application Load Balancers (ALBs) that do not drop invalid HTTP headers can forward malformed headers to backend services, potentially enabling header injection attacks, cache poisoning, and bypassing security controls. This vulnerability occurs when the ALB is configured to forward non-RFC-compliant headers rather than dropping them at the load balancer level.

Language:

Example:

Example:

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Application Load Balancers not configured to drop invalid HTTP headers, allowing non-RFC-compliant headers to be forwarded to backend services. This creates opportunities for header injection attacks and security control bypasses.

Root causes

Invalid Header Forwarding Enabled

Application Load Balancers not configured to drop invalid HTTP headers, allowing non-RFC-compliant headers to be forwarded to backend services. This creates opportunities for header injection attacks and security control bypasses.

Missing Terraform Configuration

ALB resources in Terraform lack the drop_invalid_header_fields attribute set to true in the load balancer configuration. Without this explicit setting, malformed headers are forwarded by default.

Insecure Default Configuration

Default AWS ALB configuration accepts and forwards malformed headers for backwards compatibility. Without explicitly enabling header validation, ALBs pass through potentially dangerous header values to backend applications.

Missing Load Balancer Layer Validation

Organizations lack header validation at the load balancer layer, relying solely on backend application security. This misses the opportunity to filter malicious headers before they reach application code.

Insufficient Backend Input Sanitization

Backend applications don't implement robust header validation and sanitization, assuming the load balancer filters malicious input. This single point of failure creates vulnerability when ALB header dropping isn't enabled.

Fixes

1

Enable Header Dropping in Terraform

Set drop_invalid_header_fields = true in the aws_lb resource configuration. This configures the ALB to drop invalid HTTP headers at the load balancer layer, preventing malformed headers from reaching backend services and reducing the injection attack surface.

2

Configure LoadBalancerAttributes in CloudFormation

Add LoadBalancerAttributes to your ALB resource with Key: routing.http.drop_invalid_header_fields.enabled and Value: 'true'. This ensures invalid headers are dropped at the load balancer level before forwarding to targets, providing consistent security across CloudFormation deployments.

3

Implement Backend Header Validation

Add comprehensive header validation and sanitization in backend applications as defense-in-depth protection. Validate header names against RFC 7230 patterns, check for CRLF injection attempts, and reject requests with malformed headers. This provides secondary protection if load balancer configurations are misconfigured.

4

Enable CloudWatch Monitoring for Header Anomalies

Configure CloudWatch Logs Insights queries and metric filters to detect patterns of invalid header attempts in ALB access logs. Set up alarms that trigger when thresholds are exceeded, enabling detection and alerting on potential header injection attack campaigns.

Detect This Vulnerability in Your Code

Sourcery automatically identifies injection via invalid http headers forwarded in aws alb configuration and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities