Desync mitigation check on ELBv1 (#807)

audit_config.yaml

@@ -388,3 +388,9 @@ REQUEST_SMUGGLING:
   description: "HTTP request smuggling is possible against ALBs, as described here: https://portswigger.net/web-security/request-smuggling"
   severity: Low
   group: ELB
+
+ELBV1_DESYNC_MITIGATION:
+  title: Desync mitigation mode not configured
+  description: "Desync mitigation mode protects your application from issues due to HTTP Desync and should be set to 'Strictest'. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-desync-mitigation-mode.html"
+  severity: Low
+  group: ELB

collect_commands.yaml

@@ -133,6 +133,11 @@
     Value: rds-describe-db-instances.json|.DBInstances[]?|.DBInstanceArn
 - Service: elb
   Request: describe-load-balancers
+- Service: elb
+  Request: describe-load-balancer-attributes
+  Parameters:
+  - Name: LoadBalancerName
+    Value: elb-describe-load-balancers.json|.LoadBalancerDescriptions[].LoadBalancerName
 - Service: elb
   Request: describe-load-balancer-policies
 - Service: elb

shared/audit.py

@@ -837,6 +837,25 @@ def audit_ec2(findings, region):
                 )
 
 
+def audit_elbv1(findings, region):
+    json_blob = query_aws(region.account, "elb-describe-load-balancers", region)
+
+    for load_balancer in json_blob.get("LoadBalancerDescriptions", []):
+        lb_name = load_balancer["LoadBalancerName"]
+
+        # Check attributes
+        attributes_json = get_parameter_file(
+            region, "elb", "describe-load-balancer-attributes", lb_name
+        )
+
+        for attribute in attributes_json.get("LoadBalancerAttributes", [])['AdditionalAttributes']:
+            if (
+                attribute["Key"] == "elb.http.desyncmitigationmode"
+                and attribute["Value"] != "strictest"
+            ):
+                findings.add(Finding(region, "ELBV1_DESYNC_MITIGATION", lb_name))
+
+
 def audit_elbv2(findings, region):
     json_blob = query_aws(region.account, "elbv2-describe-load-balancers", region)
 
@@ -1172,6 +1191,7 @@ def audit(accounts):
                 audit_redshift(findings, region)
                 audit_es(findings, region)
                 audit_ec2(findings, region)
+                audit_elbv1(findings, region)
                 audit_elbv2(findings, region)
                 audit_sg(findings, region)
                 audit_lambda(findings, region)