Fixed BadBotParser DoS. Updated Source IP extraction logic from event #123
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I'm from AWS Security, and I approve this message. |
|
Thanks you for your contribution. We have added your request to our solution backlog items and it will be considered in future solution releases. |
|
Hello @ameyanekar We have addressed this issue and fixed it in V2.3.3 released recently |
|
Thanks @rakshb for the update! Closing this PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Issue #, if available: -
Description of changes:
File "aws-waf-security-automations/source/access-handler/access-handler.py" is responsible for processing requests hitting the BadBotHoneypotEndpoint. Following line in the code is responsible for extracting IP address from the event object:
If a malicious user crafts a request to this endpoint by passing an X-Forwarded-For header set to a random IP address, this handler blacklists the user supplied IP address instead of blacklisting the actual source IP address. When I checked CloudWatch logs for the requests sent with an 'X-Forwarded-For' header, I saw that the headers were set to 'X-Forwarded-For': [‘2.3.4.5, X.X.X.X, 130.176.20.90’], where X.X.X.X was my actual IP address and 2.3.4.5 was the user-supplied IP address. The Lambda code will split the string by commas into an array and picked the [0] element for blacklisting. Hence, it will pick the user-supplied IP address from the HTTP header and send it for blacklisting.
The Fix:
To fix this vulnerability, I have updated the code to extract the source IP address as follows:
This is a much reliable source for identifying the correct IP address for the bad bot and is not vulnerable to spoofing through XFF header.
I notified aws-security@amazon.com regarding this issue. They have acknowledged it and requested me to open a PR here for quick closure.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.