Login Start Free Trial Login Start Free Trial
 

Proxy Disclosure

Proxy Disclosure

Proxy Disclosure

Reference

Plugin Id: 40025 | CWE: 200

Resources

Remediation

To mitigate the vulnerability of Proxy Disclosure, the following steps should be taken:

  1. Disable TRACE/TRACK methods: Disable the TRACE and TRACK methods on both the proxy and origin webservers. This can be achieved by modifying the server configuration files. For example, in Apache, you can add the following lines to the .htaccess file or the server configuration file:

    RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule ^ - [F]

  2. Disable OPTIONS method (if applicable): If your application is not a REST/GraphQL API, you can also disable the OPTIONS method. This can be done by adding the following lines to the server configuration file:

    <Limit OPTIONS>
Require all denied
</Limit>

    Note that disabling the OPTIONS method may affect Cross-Origin Resource Sharing (CORS) settings and API access, so make sure to consider the impact on your application before implementing this step.

About

The vulnerability known as Proxy Disclosure occurs when the TRACE and/or TRACK methods are enabled on proxy and origin webservers. These methods allow an attacker to retrieve sensitive information about the software running on the servers. By sending specially crafted requests, an attacker can exploit this vulnerability to gather information that can be used for further attacks.

Risks

The risks associated with the Proxy Disclosure vulnerability include:

  1. Attacker reconnaissance: An attacker can use the disclosed information to gain insights into the software running on the proxy servers. This knowledge can help them identify potential vulnerabilities or weaknesses that can be exploited.

  2. Targeting the origin server: The disclosed information can also be used to target the origin server, which may have fewer resources and security measures compared to the proxies themselves. This can lead to unauthorized access, data breaches, or other malicious activities.

  3. Impact on CORS settings and API access: Browsers use the OPTIONS method to check Cross-Origin Resource Sharing (CORS) settings. Disabling the OPTIONS method, as a remediation step, may affect the proper functioning of CORS and API access. It is important to carefully consider the impact on your application before implementing this step.