Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed BadBotParser DoS. Updated Source IP extraction logic from event #123



Copy link

Issue #, if available: -

Description of changes:

File "aws-waf-security-automations/source/access-handler/" is responsible for processing requests hitting the BadBotHoneypotEndpoint. Following line in the code is responsible for extracting IP address from the event object:

221         source_ip = event['headers']['X-Forwarded-For'].split(',')[0].strip()

If a malicious user crafts a request to this endpoint by passing an X-Forwarded-For header set to a random IP address, this handler blacklists the user supplied IP address instead of blacklisting the actual source IP address. When I checked CloudWatch logs for the requests sent with an 'X-Forwarded-For' header, I saw that the headers were set to 'X-Forwarded-For': [‘, X.X.X.X,’], where X.X.X.X was my actual IP address and was the user-supplied IP address. The Lambda code will split the string by commas into an array and picked the [0] element for blacklisting. Hence, it will pick the user-supplied IP address from the HTTP header and send it for blacklisting.

The Fix:

To fix this vulnerability, I have updated the code to extract the source IP address as follows:

221         source_ip = event['requestContext']['identity']['sourceIp']

This is a much reliable source for identifying the correct IP address for the bad bot and is not vulnerable to spoofing through XFF header.

I notified regarding this issue. They have acknowledged it and requested me to open a PR here for quick closure.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Copy link

plygrnd commented Feb 25, 2020

I'm from AWS Security, and I approve this message. 👏

Copy link

Thanks you for your contribution. We have added your request to our solution backlog items and it will be considered in future solution releases.

Copy link

rakshb commented Jun 15, 2020

Hello @ameyanekar We have addressed this issue and fixed it in V2.3.3 released recently

Copy link

Thanks @rakshb for the update! Closing this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

4 participants