Search code examples
amazon-web-servicessecurityamazon-elbpenetration-testingaws-application-load-balancer

AWS ALB Host Header Attack


I'm trying to find a way to stop a host header attack from happening on my ALB. My load balancer takes care of redirecting port 80 to 443 and that is where the attack is possible. Right now the only way I can see of doing it is adding each of my domains in manually and then having the default rule be a 503. Instead of the default rule redirecting whatever the host is to 443. However, I have a lot of domains and it seems like there should be an easier way to do this.

Can anyone think of a way to protect against host header manipulation in ALB?


Solution

  • If you're trying to prevent at the ALB you only have 2 options.

    The first option is to edit the rules of the listeners on the ALB and whitelist each of the hosts that you would like to allow to forward to your target group and then for the default action have it return a response from the ALB itself.

    The second option is to attach a WAF to the load balancer, and add ruleset to whitelist the host headers, with the default being to block the request (returning a 403) to the user.

    Both of these options would require you to maintain the list of hostnames to reject all other requests.

    In addition you could configure the web server software (if you're using it) e.g. Apache, Nginx etc to return a 403 on the default host (this is normally the first host). By doing this any requests that reach the server without a valid header will hit this first host configuration, which could by default return a 403.