From 229d9ba00c779940f8955b49612984932d732a18 Mon Sep 17 00:00:00 2001 From: Josh Moss <45637452+Outrun207@users.noreply.github.com> Date: Thu, 20 May 2021 12:36:30 -0400 Subject: [PATCH 1/2] ALB Header Check --- checks/check_extra7142 | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 checks/check_extra7142 diff --git a/checks/check_extra7142 b/checks/check_extra7142 new file mode 100644 index 00000000..4e42eb26 --- /dev/null +++ b/checks/check_extra7142 @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +CHECK_ID_extra7142="7.142" +CHECK_TITLE_extra7142="[extra7142] Check if Application Load Balancer is dropping invalid packets to prevent header based http request smuggling" +CHECK_SCORED_extra7142="NOT_SCORED" +CHECK_TYPE_extra7142="EXTRA" +CHECK_SEVERITY_extra7142="Medium" +CHECK_ASFF_RESOURCE_TYPE_extra7142="AwsElasticLoadBalancingV2LoadBalancer" +CHECK_ALTERNATE_check7142="extra7142" +CHECK_ASFF_COMPLIANCE_TYPE_extra7142="" +CHECK_SERVICENAME_extra7142="elb" + +extra7142(){ + for regx in $REGIONS; do + LIST_OF_ELBSV2=$($AWSCLI elbv2 describe-load-balancers $PROFILE_OPT --region $regx --query 'LoadBalancers[?Type == `application`].[LoadBalancerArn]' --output text) + if [[ $LIST_OF_ELBSV2 ]];then + for alb in $LIST_OF_ELBSV2;do + CHECK_IF_DROP_INVALID_HEADER_FIELDS=$($AWSCLI elbv2 describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-arn $alb --query 'Attributes[6]' --output text|grep -i true) + if [[ $CHECK_IF_DROP_INVALID_HEADER_FIELDS ]];then + textPass "Application Load Balancer $alb is dropping invalid header fields" + else + textFail "Application Load Balancer $alb is not dropping invalid header fields" + fi + done + else + textInfo "no ALBs found" + fi + done +} \ No newline at end of file From e3893c7d5b259c85c6731adffa3d611683b79827 Mon Sep 17 00:00:00 2001 From: Josh Moss <45637452+Outrun207@users.noreply.github.com> Date: Tue, 25 May 2021 13:49:27 -0400 Subject: [PATCH 2/2] Update check_extra7142 --- checks/check_extra7142 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/checks/check_extra7142 b/checks/check_extra7142 index 4e42eb26..9822fce2 100644 --- a/checks/check_extra7142 +++ b/checks/check_extra7142 @@ -27,13 +27,13 @@ extra7142(){ for alb in $LIST_OF_ELBSV2;do CHECK_IF_DROP_INVALID_HEADER_FIELDS=$($AWSCLI elbv2 describe-load-balancer-attributes $PROFILE_OPT --region $regx --load-balancer-arn $alb --query 'Attributes[6]' --output text|grep -i true) if [[ $CHECK_IF_DROP_INVALID_HEADER_FIELDS ]];then - textPass "Application Load Balancer $alb is dropping invalid header fields" + textPass "$regx: Application Load Balancer $alb is dropping invalid header fields." "$regx" "$alb" else - textFail "Application Load Balancer $alb is not dropping invalid header fields" + textFail "$regx: Application Load Balancer $alb is not dropping invalid header fields" "$regx" "$alb" fi done else - textInfo "no ALBs found" + textInfo "$regx: no ALBs found" fi done -} \ No newline at end of file +}