Reputation: 141
AWS Load Balancer 403 Forbidden When Account Name Starts with "Call T" on Test Server
We have an API hosted on an EC2 instance behind an AWS Load Balancer. The API works fine except when the AccountName field starts with "Call T". When we send a request with this pattern, we get a 403 Forbidden error.
- Other account names work fine.
- We checked our API code, and there are no restrictions related to this pattern.
- We do not have AWS WAF, but the Load Balancer might have some security filtering.
- There is no restriction in IIS Request Filtering or logs that indicate blocking.
- The same issue happens in Postman and cURL.
Things We Checked:
- SQL Query Execution → Works fine.
- AWS WAF & Load Balancer Logs → We don’t have AWS WAF, but not sure if the LB has built-in security.
- Tried with Modified Name → Works fine if we change "Call T" to something else.
- IIS Request Filtering & Security Logs → Nothing suspicious.
- Tested in Postman → 403 happens only with "Call T".
Questions:
- Could AWS Load Balancer or any other AWS service block specific words like "Call T"?
- Is there any default security rule in AWS that might flag "Call T" as a risky keyword?
- How can we debug this further in AWS Load Balancer or EC2 instance?
- Is there any hidden firewall, security group, or WAF-like feature in AWS that we might have missed?
Upvotes: 2
Views: 59
Answers (1)
Reputation: 2111
Please try below things
Enable ALB Access Logs:
In AWS Console, go to EC2 > Load Balancers > Your Load Balancer > Attributes. Enable Access Logs and specify an S3 bucket. Check logs for 403 entries to see if the request reaches the backend.
Bypass Load Balancer:
Temporarily access the API directly on the EC2 instance using its private IP. This helps determine if the issue is with the ALB or the application itself.
Test Encoding:
In Postman or cURL, URL encode "Call T" as %43%61%6C%6C%20%54. This checks if encoding resolves potential pattern matching issues.
Change Header Position:
Move "AccountName" to a URL parameter (?AccountName=Call T) instead of in the request body. This tests if the ALB is inspecting the request body.
Upvotes: 0
Related Questions
- Websocket fails with 500 using AWS Application Load Balancer and beanstalk
- AWS API Gateway 403 Forbidden when calling from Lambda
- Memcached is not working with AWS Classic Load Balancer
- AWS Load Balancer 502
- Aws ec2 - how to setup load balancer to match docker container on ec2 instance
- aws load balancer gives request 5 sec once
- Intermittent 403 when accessing server via Load Balancer, can't figure out why
- Can't get https working on Elastic Load Balancer (AWS)
- Is ssl termination at AWS load balancer ELB secure?