ALBeast is a critical vulnerability that allows attackers to bypass authentication and authorization in AWS ALB-based applications. Learn how to mitigate this risk and protect your applications from exploitation.
Miggo Research has discovered a configuration-based vulnerability called ALBeast, which can bypass authentication mechanisms in applications using AWS Application Load Balancer (ALB), compromising applications’ confidentiality, integrity, and availability.
ALB is a type of load balancer that operates at the application layer (Layer 7) of the OSI model. It distributes incoming application traffic across multiple targets, such as EC2 instances, containers, or IP addresses, based on the content of the request. This helps to improve the scalability, reliability, and fault tolerance of web applications.
ALBeast is a misconfiguration and implementation issue in AWS ALB user authentication, leading to unauthorized access to business resources, data breaches, and data exfiltration. It can impact applications relying on AWS ALB for user authentication, particularly those not adhering to updated AWS documentation.
“This vulnerability allows attackers to directly access affected applications, particularly if they are exposed to the internet,” Miggo researchers noted.
Miggo Research has identified over 15,000 potentially vulnerable ALBs and applications using AWS ALB’s authentication feature out of 371,000 analyzed ALBs. Researchers detected that around 95% of implementations and open-source projects lacked signer validation implementation, and many didn’t restrict access according to recommendations. Two AWS ALB authentication mechanisms, OIDC using IdP and AWS Cognito, were identified as making applications vulnerable.
The following steps demonstrate how an attacker can exploit ALBeast:
- Creating a malicious ALB: The attacker sets up their own ALB configured with authentication.
- Forging a token: They sign a token with full control over its claims.
- Altering ALB configuration: They manipulate the issuer field to match the victim’s expected issuer.
- Exploiting trust: AWS signs the attacker’s token with the victim’s issuer, essentially validating it.
- Bypassing defenses: The forged token is used against the victim’s application, bypassing authentication and authorization.
“ALBeast underscores the risks associated with distributed application architecture and the need for a new class of detection methods to prevent similar exploits,” said Daniel Shechter, CEO and Co-founder, Miggo.
Miggo Research reported the issue to the AWS security team in April and AWS updated the authentication feature documentation in May 2024, adding new code to validate the signer, the AWS ALB instance that signs the token. Miggo Research also worked with AWS to contact affected organizations and provide support where needed.
ALBeast can potentially impact any application using AWS ALB user authentication, regardless of the environment (AWS, other cloud providers, or on-premises). Traditional security tools may struggle to detect this vulnerability due to the complexity of modern application architectures.
AWS categorizes this vulnerability under the shared responsibility model, requiring customers to update applications, review configurations, and ensure security group configurations restrict access to their applications, as per updated AWS documentation.
To mitigate ALBeast risk, organizations should verify the token signer and restrict traffic to only accept traffic from trusted ALB instances, ensuring applications verify the ALB instance responsible for signing the token.
