Cloud metadata exposed for AWS Fargate is showing mistakenly

[Aung Kyaw Phyo]

I used OWASAP ZAP tool to scan my website which is hosted on AWS Fargate. The scanned result is showing Cloud Metadata Potentially Exposed issue.

Then, I run the ECS task definition in a standalone task and execute the following commands inside the container and the meta data were not returning:

$ curl 169.254.169.254

$ curl 169.254.170.2

Is this an error of OWAP ZAP's tool please?

[psiinon]

What happens if you request the same URL using curl and follow the redirect?

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/2483f7a9-c2c6-4562-ad41-dd2f1fdcca62n%40googlegroups.com.

--

OWASP ZAP Project leader

[Aung Kyaw Phyo]

I tried to follow the redirect with CURL and didn't get any meta data leak and just ended up with the 404 not found url.

[石川敦己]

Hello,

I am reaching out because I have encountered a situation identical to one discussed previously—concerning the development environment, the nature of the alert, and the attempted resolutions. I was conducting a security assessment following the guidelines provided in the App Defense Alliance's Dynamic Scanning Procedures. ( https://appdefensealliance.dev/casa/tier-2/ast-guide/dynamic-scan?hl=en ), and received the following alert:
```
WARN-NEW: Cloud Metadata Potentially Exposed [90034] x 1
        https://app-dev.myapli.jp/latest/meta-data/ (308 Permanent Redirect)
```
However, when I sent a request using the cURL command to the same URL, I encountered a 404 error, and no metadata was retrieved.

I would like this to pass the security checks. Could you please advise on any potential resolutions? Perhaps there are ways to handle similar past situations, ways to follow the response redirect, or treating a 308 status as a request failure.

My apologies for any language barriers as English is not my first language. I would greatly appreciate any assistance you can provide.

Thank you very much.

2023年7月10日月曜日 13:35:30 UTC+9 a...@binarylab.io:

[Simon Bennetts]

Hiya,

Can you confirm which version of ZAP and the active scan rules you are using?

I dont think we should raise an alert like this on a redirect, and based on a quick look at the code I don't think it will do..

Cheers,

Simon

[石川敦己]

Hello Simon,

Thank you for your prompt response.

I am currently using the OWASP ZAP Docker image tagged as owasp/zap2docker-stable:latest, which should be the latest stable release as of two weeks ago.

Regarding the active scan rules, I have attached the zap-casa-config.conf configuration file used during the scan. This config file was directly taken as it is from the App Defense Alliance's Dynamic Scanning Procedures ( https://appdefensealliance.dev/casa/tier-2/ast-guide/dynamic-scan?hl=en ), and I have been using it without any modifications.

I am trying to understand whether the alert triggered on a 308 Permanent Redirect is an expected result or a false positive. If there are additional details or context needed for a comprehensive assessment, I would be grateful if you could point them out.

Thank you for your time and assistance.

Best regards,

Atsuki Ishikawa

2024年1月18日木曜日 0:31:29 UTC+9 psi...@gmail.com:

[Simon Bennetts]

Thank you.

Based on our initial investigations this looks like it is a false positive and we are looking at a code fix.

More info when I have it.

Cheers,

Simon

[石川敦己]

Hello Simon,

Thank you so much for the quick response and for looking into a code fix.

It's greatly appreciated.

Best regards,

Atsuki Ishikawa

2024年1月18日木曜日 21:56:04 UTC+9 psi...@gmail.com: