"Cloud Metadata Potentially Exposed" Correct Response Inquiry

[TestAccount TestAccount]

Hello,

Basically, I have already posted this inquiry in github ("Cloud Metadata Potentially Exposed" Correct Response Inquiry · Issue #8428 · zaproxy/zaproxy (github.com)) but was advised to post it here since this is the proper venue.

I am new to ZAP and was assigned to check the security of our web application using ZAP.

One of the findings was "Cloud Metadata Potentially Exposed".
However, I read some "false positive" result regarding this "Cloud Metadata Potentially Exposed" item.
I would like to know more about this item specifically the "expected result/respond" if the web application is really vulnerable.

I upload the request and respond in my testing.
Kindly see ZapRequest_1.png for the request screenshot.
Kindly see ZapRespond_1.png for the respond screenshot.

Can someone explain to me what the meaning of the respond?
Has our web application been really vulnerable with "Cloud Metadata Potentially Exposed"?

I couldn't find the same response with ours.

Thank you very much in advance.

[Simon Bennetts]

This rule is fairly simplistic.

It gets a URL like https://www.example.com/latest/meta-data/

If that returns a 200 (as your does) then it raises an alert. Normally we would expect a URL like this to return something like a 404 or 500.

In your case it does not look like cloud metadata.

I suspect this rule could be improved, e.g. to at least check the contentType of the response.

I know AWS uses /latest/meta-data - does anyone know if any other cloud providers support this URL?

Cheers,

Simon