Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ProxyDisclosureScanRule reporting is confusing for cases where servers freely offer X-Forwarded-* text #8556

Open
1 task
jsoref opened this issue Jul 15, 2024 · 1 comment · May be fixed by zaproxy/zap-extensions#5718
Open
1 task

ProxyDisclosureScanRule reporting is confusing for cases where servers freely offer X-Forwarded-* text #8556

jsoref opened this issue Jul 15, 2024 · 1 comment · May be fixed by zaproxy/zap-extensions#5718
Assignees
@kingthorin
Labels
add-on backlog Issues that the Core Team think are higher priority and would like to work on given time FalsePositive

Comments

@jsoref
Copy link
Contributor

jsoref commented Jul 15, 2024

Describe the bug

I have a server which will freely respond with x-forwarded headers: https://api.test.glaypen.garnercorp.com/say-what-you-want

When the ProxyDisclosureScanRule rule runs, it will generate this report item:

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine - A list of targets for an attack against the application. - Potential vulnerabilities on the proxy servers that service the application. - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

URL: https://api.test.glaypen.garnercorp.com/say-what-you-want
Method: GET
Parameter: ``
Attack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.
Evidence: ``
Other Info: `Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server:
Unknown The following web/application server has been identified:
Unknown The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. `
URL: https://api.test-tco.chevron.garnercorp.com/graph-ql/query
Method: GET
Parameter: ``
Attack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.
Evidence: ``
Other Info: `Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server:
Unknown The following web/application server has been identified:
Unknown The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. `

There are a number of problems with this text...

The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

is grammatically broken and otherwise muddled.

Removing words might help a bit...

Removing one word probably yields the opposite of the intended meaning:

The presence or absence of any proxy-based components might cause attacks against the application to be detected, prevented, or mitigated.

at this point, changing detected, prevented, and mitigated to other things could enable the sentence to make sense in context, maybe.

Other Info: `Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server:
Unknown The following web/application server has been identified:
Unknown

So, nothing has actually been identified, which is very confusing/misleading/unhelpful. It took reading the code and hunting around to figure out what the component was actually thinking.

Attack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.

This turned out to be an incredibly large red-herring -- nothing about what was discovered had anything to do with TRACE, OPTIONS, Max-Forwards or TRACK.

Steps to reproduce the behavior

  1. Enable ProxyDisclosureScanRule
  2. Do some sort of browse to https://api.test.glaypen.garnercorp.com/say-what-you-want
  3. Trigger the ProxyDisclosureScanRule
  4. Generate a report
  5. Read the report for Proxy Disclosure

Expected behavior

As the logic has not identified anything relating to TRACE, OPTIONS or TRACK, and as the logic has not (successfully) relied on Max-Forwards, the message should clearly indicate what is actually bothering the rule (which is apparently the presence of one or more X-Forwarded- headers).

Software versions

macOS Sonoma 14.5
ZAP 2.15.0
I can't tell if ProxyDisclosureScanRule is a built-in -- the add-ons manager isn't showing it to me...

Screenshots

image

Errors from the zap.log file

The log has lots of errors (including hilarious errors from 2022), but nothing particularly relevant.

Additional context

https://github.com/zaproxy/zap-extensions/blob/2708148f2fae6b8e75ea45d5a89d16ccc3c2e756/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java#L101-L120

Would you like to help fix this issue?

  • Yes
@jsoref jsoref added the bug label Jul 15, 2024
@psiinon
Copy link
Member

psiinon commented Jul 16, 2024

All of the scan rules are listed here: https://www.zaproxy.org/docs/alerts/
The proxy disclosure one is: https://www.zaproxy.org/docs/alerts/40025/
That page links to the source code: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java
The i18n file for that add-on is https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages.properties

Which means the relevant line to change is currently: https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages.properties#L129

PR's appreciated 😁

@kingthorin kingthorin mentioned this issue Aug 20, 2024
Merged
5 tasks
@kingthorin kingthorin self-assigned this Sep 6, 2024
@kingthorin kingthorin linked a pull request Sep 9, 2024 that will close this issue
Open
8 tasks
@kingthorin kingthorin added the backlog Issues that the Core Team think are higher priority and would like to work on given time label Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kingthorin kingthorin

Labels
add-on backlog Issues that the Core Team think are higher priority and would like to work on given time FalsePositive
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ascanrulesBeta: Address possible FP in proxy detection rule kingthorin/zap-extensions
3 participants
@psiinon @jsoref @kingthorin