Fail Proxy Disclosure on Docker Scanning

220 views
Skip to first unread message

Hermawan Febrianto

unread,
Aug 17, 2023, 1:10:45 PM8/17/23
to ZAP Developer Group
Hi All, I have a problem when I do a Docker Scan, Proxy Disclosure always appears in my App. Is there a solution regarding this Failed?
Message has been deleted

Hermawan Febrianto

unread,
Aug 17, 2023, 1:12:21 PM8/17/23
to ZAP Developer Group
Like This : FAIL-NEW: Proxy Disclosure [40025] x 48

kingthorin+zap

unread,
Aug 17, 2023, 8:17:57 PM8/17/23
to ZAP Developer Group
Being answered over here:  FAIL-NEW: Proxy Disclosure [40025] x 48 (google.com)

Please don't cross post it just causes confusion and clutter.

Hermawan Febrianto

unread,
Aug 27, 2023, 12:37:37 PM8/27/23
to ZAP Developer Group
I have disabled TRACE, TRACK, and OPTION for my website, but this -fail still appears. 

The image that I have attached is a screenshot of the Result Docker Scan XML file. In the "<other info>", it says that "Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between OWASP ZAP and the application/web server:" and "The following web/application server has been identified: ". 

Both have the value "Unknown". But ZAP still thinks that this is a proxy that can be Traced/Track/Options. 

Do you have a solution for this?

proxy disclosure.png

psiinon

unread,
Aug 29, 2023, 3:52:37 AM8/29/23
to zaproxy...@googlegroups.com
Thats strange.
Have you had a look at the response headers in the request ZAP is complaining about?
Just because you _think_ you have disabled those options does not mean you have successfully disabled them for all of the URLs.

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/223db79e-9c0f-48ad-b791-2621e09317ddn%40googlegroups.com.


--
ZAP Project leader

Innocent Akhidenor

unread,
Jan 1, 2024, 2:57:14 AMJan 1
to ZAP Developer Group
Any solution to this? I had the same issue. Here is what I have done so far: 

1)  I hid the Server header in my nginx.conf file:    
     
     server_tokens off;
     more_clear_headers Server;
     proxy_hide_header X-Powered-By; 

2) Blocked all TRACE, OPTIONS, and TRACK    

      limit_except GET HEAD POST {
         deny  all;
      }

3) Returned a custom error page: 

      error_page 400 401 402 403 404 405 406 408 409 410 411 412 413 414 415 416 421 429 500 501 502 503 504 505 507 /error_page.html

      location = /error_page.html {
         root /usr/share/nginx/html;
         internal;
      }

I did all that and confirmed that it works via Postman but I still get the following alert from ZAP. Can't figure out what I am doing wrong

<uri>https://my domain name</uri>

<method>GET</method>

<param></param>

<attack>TRACE, OPTIONS methods with &apos;Max-Forwards&apos; header. TRACK method.</attack>

<evidence></evidence>

<otherinfo>Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server: 

- nginx/1.10.3 (Ubuntu)

The following web/application server has been identified: 

- Unknown

</otherinfo>


psiinon

unread,
Jan 2, 2024, 8:36:31 AMJan 2
to ZAP Developer Group
Again, you need to check the response headers that ZAP sees, it might be doing something subtly different to whatever Postman is doing.
You can either do this via the ZAP desktop or use one of the reports which includes the full requests and responses.

Cheers,

Simon

kingthorin+zap

unread,
Jan 2, 2024, 1:45:43 PMJan 2
to ZAP Developer Group
Reply all
Reply to author
Forward
0 new messages