Summary
While testing rate-limiter protection, The researcher noticed that when forcing HTTP/1 requests and injecting
a space after `X-Forwarded-For` he was able to override this specific header, letting him impersonate any IP.
Any internal header could have beem overridden, also the one that should not be exposed/forwarded by the
client, such as `CloudFront-Viewer-Country-Region` or any other `CloudFront` enhanced header.
This special security issue was affecting all AWS users with that a specific setting enabled.
Affected Services
ELB
Tracked CVEs
No tracked CVEs
References
https://twitter.com/nJoyneer/status/1526593840928411650https://raw.globalsecuritydatabase.org/GSD-2022-1002524
Contributed by https://github.com/mhgeay
Entry Status
Finalized
Disclosure Date
Sun, Jan 24th, 2021
Exploitablity Period
Fixed on 2022/01/29
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Andrea Brancaleoni, Brave
