Fail Proxy Disclosure on Docker Scanning

[Hermawan Febrianto]

Hi All, I have a problem when I do a Docker Scan, Proxy Disclosure always appears in my App. Is there a solution regarding this Failed?

[Hermawan Febrianto]

Like This : FAIL-NEW: Proxy Disclosure [40025] x 48

[kingthorin+zap]

Being answered over here:  FAIL-NEW: Proxy Disclosure [40025] x 48 (google.com)

Please don't cross post it just causes confusion and clutter.

[Hermawan Febrianto]

I have disabled TRACE, TRACK, and OPTION for my website, but this -fail still appears. 

The image that I have attached is a screenshot of the Result Docker Scan XML file. In the "<other info>", it says that "Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between OWASP ZAP and the application/web server:" and "The following web/application server has been identified: ". 

Both have the value "Unknown". But ZAP still thinks that this is a proxy that can be Traced/Track/Options. 

Do you have a solution for this?

[psiinon]

Thats strange.

Have you had a look at the response headers in the request ZAP is complaining about?

Just because you _think_ you have disabled those options does not mean you have successfully disabled them for all of the URLs.

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/223db79e-9c0f-48ad-b791-2621e09317ddn%40googlegroups.com.

--

ZAP Project leader

[Innocent Akhidenor]

Any solution to this? I had the same issue. Here is what I have done so far: 

1)  I hid the Server header in my nginx.conf file:    

     

     server_tokens off;

     more_clear_headers Server;
     proxy_hide_header X-Powered-By; 

2) Blocked all TRACE, OPTIONS, and TRACK    

      limit_except GET HEAD POST {
         deny  all;
      }

3) Returned a custom error page: 

      error_page 400 401 402 403 404 405 406 408 409 410 411 412 413 414 415 416 421 429 500 501 502 503 504 505 507 /error_page.html

      location = /error_page.html {
         root /usr/share/nginx/html;
         internal;
      }

I did all that and confirmed that it works via Postman but I still get the following alert from ZAP. Can't figure out what I am doing wrong

<uri>https://my domain name</uri>

<method>GET</method>

<param></param>

<attack>TRACE, OPTIONS methods with &apos;Max-Forwards&apos; header. TRACK method.</attack>

<evidence></evidence>

<otherinfo>Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server: 

- nginx/1.10.3 (Ubuntu)

The following web/application server has been identified: 

- Unknown

</otherinfo>

[psiinon]

Again, you need to check the response headers that ZAP sees, it might be doing something subtly different to whatever Postman is doing.

You can either do this via the ZAP desktop or use one of the reports which includes the full requests and responses.

Cheers,

Simon

[kingthorin+zap]

If you want to understand exactly what's happening here's the code:

https://github.com/zaproxy/zap-extensions/blob/5fa94b9fa71d6da32f46b84c86c62752a2cc0f05/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java#L55