zaproxy
zaproxy copied to clipboard
zaproxy
Proxy Disclosure - return False Positive results
Describe the bug:
When setting up server annotations and headers for serving content using nginx-ingress:
The ZAP Proxy marks this configuration as a vulnerability with a Medium Risk Level and provides the following description:
more_clear_headers "Server";
Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server: - Unknown The following web/application server has been identified: - Unknown
more_set_headers "server: hide";
Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server: - hide The following web/application server has been identified: - hide
Steps to reproduce the behavior:
- Deploy simple application on k8s server exposed using nginx-ingress
- Add such configuration to your ingress deployment:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: simple-app
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
more_clear_headers "X-Powered-By";
more_clear_headers "Server";
if ($request_method ~* "(TRACE|TRACK)") {
return 405;
}
- Run ZAP Proxy against your deployed application and verify the results
Expected behavior:
When Server header is remove using annotation more_clear_headers "Server"; this vurnability should be not present.
Software versions:
ZAP Version: 2.15.0
Screenshots:
Errors from the zap.log file:
No response
Additional context:
No response
Would you like to help fix this issue?
- [ ] Yes
