ALB Not Dropping Invalid Headers
- Query id: 6e3fd2ed-5c83-4c68-9679-7700d224d379
- Query name: ALB Not Dropping Invalid Headers
- Platform: Terraform
- Severity: Medium
- Category: Best Practices
- CWE: 693
- URL: Github
Description¶
It's considered a best practice when using Application Load Balancers to drop invalid header fields
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_alb" "disabled_1" {
internal = false
load_balancer_type = "application"
name = "alb"
subnets = module.vpc.public_subnets
}
resource "aws_alb" "disabled_2" {
internal = false
load_balancer_type = "application"
name = "alb"
subnets = module.vpc.public_subnets
drop_invalid_header_fields = false
}
Positive test num. 2 - tf file
resource "aws_lb" "disabled_1" {
internal = false
load_balancer_type = "application"
name = "alb"
subnets = module.vpc.public_subnets
}
resource "aws_lb" "disabled_2" {
internal = false
load_balancer_type = "application"
name = "alb"
subnets = module.vpc.public_subnets
drop_invalid_header_fields = false
}
Positive test num. 3 - tf file
resource "aws_alb" "disabled_1" {
internal = false
name = "alb"
subnets = module.vpc.public_subnets
}
resource "aws_lb" "disabled_2" {
internal = false
name = "alb"
subnets = module.vpc.public_subnets
drop_invalid_header_fields = false
}
Positive test num. 4 - tf file
module "alb" {
source = "terraform-aws-modules/alb/aws"
version = "~> 6.0"
name = "my-alb"
load_balancer_type = "application"
drop_invalid_header_fields = false
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
security_groups = ["sg-edcd9784", "sg-edcd9785"]
access_logs = {
bucket = "my-alb-logs"
}
target_groups = [
{
name_prefix = "pref-"
backend_protocol = "HTTP"
backend_port = 80
target_type = "instance"
targets = [
{
target_id = "i-0123456789abcdefg"
port = 80
},
{
target_id = "i-a1b2c3d4e5f6g7h8i"
port = 8080
}
]
}
]
https_listeners = [
{
port = 443
protocol = "HTTPS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
target_group_index = 0
}
]
http_tcp_listeners = [
{
port = 80
protocol = "HTTP"
target_group_index = 0
}
]
tags = {
Environment = "Test"
}
}
Positive test num. 5 - tf file
module "alb" {
source = "terraform-aws-modules/alb/aws"
version = "~> 6.0"
name = "my-alb"
load_balancer_type = "application"
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
security_groups = ["sg-edcd9784", "sg-edcd9785"]
access_logs = {
bucket = "my-alb-logs"
}
target_groups = [
{
name_prefix = "pref-"
backend_protocol = "HTTP"
backend_port = 80
target_type = "instance"
targets = [
{
target_id = "i-0123456789abcdefg"
port = 80
},
{
target_id = "i-a1b2c3d4e5f6g7h8i"
port = 8080
}
]
}
]
https_listeners = [
{
port = 443
protocol = "HTTPS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
target_group_index = 0
}
]
http_tcp_listeners = [
{
port = 80
protocol = "HTTP"
target_group_index = 0
}
]
tags = {
Environment = "Test"
}
}
Positive test num. 6 - tf file
module "alb" {
source = "terraform-aws-modules/alb/aws"
version = "~> 6.0"
name = "my-alb"
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
security_groups = ["sg-edcd9784", "sg-edcd9785"]
access_logs = {
bucket = "my-alb-logs"
}
target_groups = [
{
name_prefix = "pref-"
backend_protocol = "HTTP"
backend_port = 80
target_type = "instance"
targets = [
{
target_id = "i-0123456789abcdefg"
port = 80
},
{
target_id = "i-a1b2c3d4e5f6g7h8i"
port = 8080
}
]
}
]
https_listeners = [
{
port = 443
protocol = "HTTPS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
target_group_index = 0
}
]
http_tcp_listeners = [
{
port = 80
protocol = "HTTP"
target_group_index = 0
}
]
tags = {
Environment = "Test"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_alb" "enabled" {
internal = false
load_balancer_type = "application"
name = "alb"
subnets = module.vpc.public_subnets
drop_invalid_header_fields = true
}
Negative test num. 2 - tf file
resource "aws_lb" "enabled" {
internal = false
load_balancer_type = "application"
name = "alb"
subnets = module.vpc.public_subnets
drop_invalid_header_fields = true
}
Negative test num. 3 - tf file
resource "aws_alb" "enabled" {
internal = false
name = "alb"
subnets = module.vpc.public_subnets
drop_invalid_header_fields = true
}
resource "aws_lb" "enabled" {
internal = false
name = "alb"
subnets = module.vpc.public_subnets
drop_invalid_header_fields = true
}
Negative test num. 4 - tf file
module "alb" {
source = "terraform-aws-modules/alb/aws"
version = "~> 6.0"
name = "my-alb"
load_balancer_type = "application"
drop_invalid_header_fields = true
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
security_groups = ["sg-edcd9784", "sg-edcd9785"]
access_logs = {
bucket = "my-alb-logs"
}
target_groups = [
{
name_prefix = "pref-"
backend_protocol = "HTTP"
backend_port = 80
target_type = "instance"
targets = [
{
target_id = "i-0123456789abcdefg"
port = 80
},
{
target_id = "i-a1b2c3d4e5f6g7h8i"
port = 8080
}
]
}
]
https_listeners = [
{
port = 443
protocol = "HTTPS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
target_group_index = 0
}
]
http_tcp_listeners = [
{
port = 80
protocol = "HTTP"
target_group_index = 0
}
]
tags = {
Environment = "Test"
}
}
Negative test num. 5 - tf file
module "alb" {
source = "terraform-aws-modules/alb/aws"
version = "~> 6.0"
name = "my-alb"
drop_invalid_header_fields = true
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
security_groups = ["sg-edcd9784", "sg-edcd9785"]
access_logs = {
bucket = "my-alb-logs"
}
target_groups = [
{
name_prefix = "pref-"
backend_protocol = "HTTP"
backend_port = 80
target_type = "instance"
targets = [
{
target_id = "i-0123456789abcdefg"
port = 80
},
{
target_id = "i-a1b2c3d4e5f6g7h8i"
port = 8080
}
]
}
]
https_listeners = [
{
port = 443
protocol = "HTTPS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
target_group_index = 0
}
]
http_tcp_listeners = [
{
port = 80
protocol = "HTTP"
target_group_index = 0
}
]
tags = {
Environment = "Test"
}
}