Merge pull request #726 from 0xdabbad00/check_alb_for_request_smuggling

Check alb for request smuggling
duo-labs · Jun 19, 2020 · 399bb87 · 399bb87
2 parents b61782a + 57f62f3
commit 399bb87
Show file tree

Hide file tree

Showing 8 changed files with 82 additions and 4 deletions.
diff --git a/account-data/demo/us-east-1/accessanalzyer-list-analyzers.json b/account-data/demo/us-east-1/accessanalzyer-list-analyzers.json
@@ -0,0 +1,14 @@
+{
+    "analyzers": [
+        {
+            "arn": "arn:aws:access-analyzer:us-east-1:000000000000:analyzer/default",
+            "createdAt": "2020-06-19T21:20:04Z",
+            "lastResourceAnalyzed": "arn:aws:sqs:us-east-1:000000000000:test",
+            "lastResourceAnalyzedAt": "2020-06-19T21:20:04.664Z",
+            "name": "default",
+            "status": "ACTIVE",
+            "tags": {},
+            "type": "ACCOUNT"
+        }
+    ]
+}
diff --git a/...ws%3Aelasticloadbalancing%3Aus-east-1%3A123456789012%3Aloadbalancer%2Fapp%2Fdemo%2Fqwerty b/...ws%3Aelasticloadbalancing%3Aus-east-1%3A123456789012%3Aloadbalancer%2Fapp%2Fdemo%2Fqwerty
@@ -0,0 +1,32 @@
+{
+    "Attributes": [
+        {
+            "Key": "access_logs.s3.enabled",
+            "Value": "false"
+        },
+        {
+            "Key": "access_logs.s3.bucket",
+            "Value": ""
+        },
+        {
+            "Key": "access_logs.s3.prefix",
+            "Value": ""
+        },
+        {
+            "Key": "idle_timeout.timeout_seconds",
+            "Value": "60"
+        },
+        {
+            "Key": "deletion_protection.enabled",
+            "Value": "false"
+        },
+        {
+            "Key": "routing.http2.enabled",
+            "Value": "true"
+        },
+        {
+            "Key": "routing.http.drop_invalid_header_fields.enabled",
+            "Value": "false"
+        }
+    ]
+}
diff --git a/audit_config.yaml b/audit_config.yaml
@@ -382,4 +382,10 @@ ACCESSANALYZER_OFF:
   title: Access Analyzer off
   description: Access Analyzer is a free service that can tell you when resources are public or shared with unexpected accounts.
   severity: Medium
-  group: AccessAnalyzer
+  group: AccessAnalyzer
+
+REQUEST_SMUGGLING:
+  title: Request smuggling not denied
+  description: "HTTP request smuggling is possible against ALBs, as described here: https://99designs.com/blog/engineering/request-smuggling/"
+  severity: Low
+  group: ELB
diff --git a/cloudmapper.py b/cloudmapper.py
@@ -30,7 +30,7 @@
 import pkgutil
 import importlib
 
-__version__ = "2.9.0"
+__version__ = "2.9.1"
 
 
 def show_help(commands):

diff --git a/collect_commands.yaml b/collect_commands.yaml
@@ -152,6 +152,11 @@
   Parameters:
   - Name: TargetGroupArn
     Value: elbv2-describe-target-groups/*|.TargetGroups[].TargetGroupArn
+- Service: elbv2
+  Request: describe-load-balancer-attributes
+  Parameters:
+  - Name: LoadBalancerArn
+    Value: elbv2-describe-load-balancers.json|.LoadBalancers[].LoadBalancerArn
 - Service: elbv2
   Request: describe-tags
   Parameters:

diff --git a/requirements.txt b/requirements.txt
@@ -19,7 +19,7 @@ mock==4.0.2
 netaddr==0.7.19
 nose==1.3.7
 pandas==1.0.4
-parliament==0.4.14
+parliament==0.5.0
 policyuniverse==1.1.0.1
 pycodestyle==2.5.0
 pyflakes==2.2.0

diff --git a/shared/audit.py b/shared/audit.py
@@ -834,6 +834,25 @@ def audit_ec2(findings, region):
                 )
 
 
+def audit_elbv2(findings, region):
+    json_blob = query_aws(region.account, "elbv2-describe-load-balancers", region)
+
+    for load_balancer in json_blob.get("LoadBalancers", []):
+        arn = load_balancer["LoadBalancerArn"]
+
+        # Check attributes
+        attributes_json = get_parameter_file(
+            region, "elbv2", "describe-load-balancer-attributes", arn
+        )
+
+        for attribute in attributes_json.get("Attributes", []):
+            if (
+                attribute["Key"] == "routing.http.drop_invalid_header_fields.enabled"
+                and attribute["Value"] == "false"
+            ):
+                findings.add(Finding(region, "REQUEST_SMUGGLING", arn))
+
+
 def audit_sg(findings, region):
     # TODO Check if security groups allow large CIDR range (ex. 1.2.3.4/3)
     # TODO Check if an SG restricts IPv4 and then opens IPv6 or vice versa.
@@ -1143,6 +1162,7 @@ def audit(accounts):
                 audit_redshift(findings, region)
                 audit_es(findings, region)
                 audit_ec2(findings, region)
+                audit_elbv2(findings, region)
                 audit_sg(findings, region)
                 audit_lambda(findings, region)
                 audit_glacier(findings, region)

diff --git a/tests/unit/test_audit.py b/tests/unit/test_audit.py
@@ -46,7 +46,8 @@ def test_audit(self):
                     "EC2_OLD",
                     "IAM_UNEXPECTED_S3_EXFIL_PRINCIPAL",
                     "IAM_LINTER",
-                    "EC2_IMDSV2_NOT_ENFORCED"
+                    "EC2_IMDSV2_NOT_ENFORCED",
+                    "REQUEST_SMUGGLING"
                 ]
             ),
         )