Cloud Metadata Potentially Exposed for sonarqube application
1,470 views
Skip to first unread message
Chetan Chavan
Nov 12, 2021, 7:59:29 AM11/12/21
to OWASP ZAP User Group
Hi ,
I ran zap tool on sonarqube application found below vulnerability.
---------------------------------------
Cloud Metadata Potentially Exposed
The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.
All of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field.
---------------------------------------------
Even we do not use nginx in sonarqube, can anyone help me to how to remediate above vulnerability in sonarqube application.
kingthorin+owaspzap
Nov 12, 2021, 9:39:34 AM11/12/21
to OWASP ZAP User Group
You haven't provided enough detail for us to debug anything.
However, I will point out that you seem to be overlooking "Potentially" and "...this can be exposed...."
You should also note it's probably an alert with low confidence. You can also check the alert page: https://www.zaproxy.org/docs/alerts/90034/, which also links to the code if you want to see why ZAP believes there's an issue.
(Basically it sends a crafted request and looks for a 200 - OK response with body content.)
However, I will point out that you seem to be overlooking "Potentially" and "...this can be exposed...."
You should also note it's probably an alert with low confidence. You can also check the alert page: https://www.zaproxy.org/docs/alerts/90034/, which also links to the code if you want to see why ZAP believes there's an issue.
(Basically it sends a crafted request and looks for a 200 - OK response with body content.)
Chetan Chavan
Nov 14, 2021, 9:33:52 AM11/14/21
to OWASP ZAP User Group
Hi ,
Thanks @kingthorin+owaspzap for updates. Please let me know what details required for further debug
kingthorin+owaspzap
Nov 15, 2021, 10:25:53 AM11/15/21
to OWASP ZAP User Group
We'd need to know the details of the request/response that ZAP is alerting on.
Chetan Chavan
Nov 17, 2021, 9:16:31 AM11/17/21
to OWASP ZAP User Group
Hi ,
Please find the details of alert,
==========================
High Cloud Metadata Potentially Exposed
Description The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.
All of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field.
Method GET
Parameter
Attack 169.154.169.254
Evidence
Instances 1
Solution
Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker.
CWE Id
WASC Id
Plugin Id 90034
===========================
We are using NGINX service still showing config error for it.
We are using NGINX service still showing config error for it.
kingthorin+owaspzap
Nov 17, 2021, 1:47:42 PM11/17/21
to OWASP ZAP User Group
Thanks, but what we really need is the associated request/response. Which likely means you need to recreate using the GUI.
Reply all
Reply to author
Forward
0 new messages