Findings
AWS ALB has insecure desync mitigation mode
Updated: June 19, 2025
Description
The AWS Application Load Balancer (ALB) is not configured with an adequate desync mitigation mode.
This leaves it vulnerable to HTTP request smuggling attacks. These attacks exploit inconsistencies in how HTTP requests are parsed and can allow attackers to bypass security controls, inject malicious payloads, or compromise backend systems. An insecure desync mitigation mode increases the risk of malicious actors exploiting your Application Load Balancer to execute HTTP desync attacks. These can lead to unauthorized access, data breaches, service disruptions, or manipulation of traffic flows.
Remediation
Reconfigure the Application Load Balancer to use either the defensive or strictest desync mitigation mode to protect against potential HTTP desynchronization vulnerabilities. These settings ensure the ALB handles HTTP requests securely and minimizes parsing discrepancies.
Security Frameworks
Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].
Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.
- Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
- Review and update the baseline configuration of the system:
- [Assignment: organization-defined frequency];
- When required due to [Assignment: organization-defined circumstances]; and
- When system components are installed or upgraded.