Proxy Disclosure vulnerability

746 views
Skip to first unread message

Chetan Chavan

unread,
Dec 8, 2021, 7:10:15 AM12/8/21
to OWASP ZAP User Group
Hi team,

While using Zapp for our application we got the following finding,

======================
Medium (Medium)Proxy Disclosure
Description

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine

- A list of targets for an attack against the application.

- Potential vulnerabilities on the proxy servers that service the application.

- The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

----------------------------------------------------
Solution

Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.

Disable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).

Configure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.

Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers

========================

As per solution in I have disable TRACE and OPTION in nginx and we getting the 400 error still Zaps capture the finding. Could you please guide what we have missed.

kingthorin+owaspzap

unread,
Dec 8, 2021, 9:54:07 AM12/8/21
to OWASP ZAP User Group
A 400 doesn't mean the methods are disabled.

Anupriya Sahu

unread,
Sep 3, 2024, 2:23:20 AM9/3/24
to ZAP User Group
How to make our application deny such requests? I need help for the same problem.

Anupriya Sahu

unread,
Sep 3, 2024, 2:23:20 AM9/3/24
to ZAP User Group
We cannot disable  these options in the proxy server right? We will have to do it in our web application and provoke such method or function which will deny the such requests from our web application only, can you help me with how I can do that in my application, for the same problem?

On Wednesday, December 8, 2021 at 5:40:15 PM UTC+5:30 rhce....@gmail.com wrote:

Simon Bennetts

unread,
Sep 10, 2024, 4:48:05 AM9/10/24
to ZAP User Group
Thats right, you'll need to do that on your server.
You should search for suitable settings for your server.
We dont know what type of server you are using, and are probably not experts in it anyway.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages