gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-06-12 11:01:38 -07:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Navigating Lax Load Balancers: When an Intersection Gets You...

Browse Source
This commit is contained in:
HackTricks News Bot
2026-05-25 14:55:45 +00:00
parent 8cb43f6b52
commit aa93024621
1 changed files with 83 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md
+83 -1
View File
@@ -215,6 +215,8 @@ In the following page you can check how to **abuse SSM permissions to achieve pe
**Elastic Load Balancing** (ELB) is a **load-balancing service for Amazon Web Services** (AWS) deployments. ELB automatically **distributes incoming application traffic** and scales resources to meet traffic demands.
For **Application Load Balancers (ALBs)**, the listener rules, authentication actions, header handling, and the alternative paths to the same targets are part of the **security boundary**. Review the full path **CloudFront --> ALB/NLB --> listeners --> rules --> target groups --> instances/IPs/ports/security groups**, not only one listener rule in isolation.
### Enumeration
```bash
@@ -226,6 +228,81 @@ aws elb describe-load-balancers | jq '.LoadBalancerDescriptions[]| select( .Sche
aws elbv2 describe-load-balancers
aws elbv2 describe-load-balancers | jq '.LoadBalancers[].DNSName'
aws elbv2 describe-listeners --load-balancer-arn <load_balancer_arn>
aws elbv2 describe-rules --listener-arn <listener_arn>
aws elbv2 describe-target-groups --load-balancer-arn <load_balancer_arn>
aws elbv2 describe-target-health --target-group-arn <target_group_arn>
aws elbv2 describe-load-balancer-attributes --load-balancer-arn <load_balancer_arn>
```
### ELB / ALB Exposure & Access-Control Bypasses
#### CloudFront / WAF bypass via direct ALB origin access
If a **CloudFront** distribution fronts an **internet-facing ALB** but the ALB security group still allows public inbound traffic, an attacker can often **request the ALB DNS name directly** and bypass **CloudFront WAF, geo restrictions, rate limits, and cache-layer controls**.
```bash
# Test the origin directly
curl -isk https://<alb-dns-name>/
# If the ALB routes on Host, replay the expected hostname directly to the ALB
curl -isk https://<alb-dns-name>/ -H 'Host: app.example.com'
```
**Audit notes:**
- Enumerate CloudFront distributions and their origins, then check whether the origin ALB is still **internet-facing**.
- Review the ALB **security groups**. If inbound traffic is allowed from `0.0.0.0/0` or broad CIDRs, CloudFront is probably not the only reachable path.
- A direct **non-error** response from the ALB usually means the CloudFront/WAF layer is bypassable.
**Hardening:** If CloudFront should be the only entry point, allow inbound traffic to the ALB only from the AWS-managed prefix list **`com.amazonaws.global.cloudfront.origin-facing`**.
#### Listener rule shadowing / auth bypass
ALB rules are evaluated in **ascending priority order**. A **broader** rule with a **lower priority number** can capture traffic before a restrictive rule with `authenticate-oidc`, `authenticate-cognito`, or `source-ip` is ever reached.
```text
[10] path /* -> forward -> tg-app
[20] path /admin* -> authenticate-oidc -> tg-app
```
A request to `/admin` matches `/*` first, so the authentication action never runs.
**Audit notes:**
- Dump every listener and rule with `aws elbv2 describe-rules --listener-arn <listener_arn>`.
- Walk rules in ascending priority order and check whether a broad **host/path/header/query** condition matches traffic that should have hit a more restrictive rule first.
- Treat listener ordering like middleware ordering: **first matching rule wins**.
#### `source-ip` restrictions can be bypassed through alternate paths
A `source-ip` condition only protects the **specific listener rule** where it is configured. If the **same target group**, the **same backend IPs/instances**, or the **same service on another port** is reachable through another ALB, another listener, or an NLB with weaker controls, the IP allowlist can often be bypassed by using that alternate path.
**Audit notes:**
- For each restrictive rule, enumerate the **target group ARN** and the registered targets.
- Compare those targets against **all other listeners/load balancers** in the account/region.
- Also check for direct exposure via **public instance IPs**, permissive **security groups**, or additional listeners on ports such as `80`, `443`, `8080`, or `8443`.
A good mental model is: **protect the target, not only one route to the target**.
#### Client-controlled `X-Forwarded-For` trust
If `routing.http.xff_header_processing.mode` is set to **`preserve`** on an **internet-facing ALB**, the backend can receive an **attacker-supplied** `X-Forwarded-For` value unchanged. If the application trusts that header for **access control**, **rate limiting**, **logging**, or **monitoring**, the attacker may spoof the perceived client IP.
```bash
curl -isk https://<alb-dns-name>/ -H 'X-Forwarded-For: 127.0.0.1'
aws elbv2 describe-load-balancer-attributes --load-balancer-arn <load_balancer_arn>
```
Prefer `append` or `remove` on internet-facing ALBs, and avoid using client-controlled forwarding headers as an authorization primitive.
#### Useful tool
[**ELBaph**](https://github.com/doyensec/ELBaph) is a read-only auditor that models **ALBs, NLBs, listeners, rules, target groups, and targets as a routing graph** and then probes for reachable exposures.
```bash
elbaph scan --region us-east-1
elbaph scan --all-regions -p my-pentest-profile
```
## Launch Templates & Autoscaling Groups
@@ -332,7 +409,12 @@ If a **VPN connection was stablished** you should search for **`.opvn`** config
## References
- [https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html](https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html)
- [AWS Elastic Beanstalk and Amazon EC2 getting started](https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html)
- [Doyensec - Navigating Lax Load Balancers: When an Intersection Gets You Inside](https://blog.doyensec.com/2026/05/25/cloudsectidbits-elbaph-alb.html)
- [AWS - Listener rules for your Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-rules.html)
- [AWS - HTTP headers and Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html)
- [AWS - CloudFront managed prefix list for origin-facing servers](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html)
- [Doyensec - ELBaph](https://github.com/doyensec/ELBaph)
{{#include ../../../../banners/hacktricks-training.md}}