ProxyDisclosureScanRule reporting is confusing for cases where servers freely offer X-Forwarded-* text #8556
Description
Describe the bug
I have a server which will freely respond with x-forwarded headers: https://api.test.glaypen.garnercorp.com/say-what-you-want
When the ProxyDisclosureScanRule rule runs, it will generate this report item:
1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine - A list of targets for an attack against the application. - Potential vulnerabilities on the proxy servers that service the application. - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.
URL: https://api.test.glaypen.garnercorp.com/say-what-you-want
Method: GET
Parameter: ``
Attack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.
Evidence: ``
Other Info: `Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server:
Unknown The following web/application server has been identified:
Unknown The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. `
URL: https://api.test-tco.chevron.garnercorp.com/graph-ql/query
Method: GET
Parameter: ``
Attack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.
Evidence: ``
Other Info: `Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server:
Unknown The following web/application server has been identified:
Unknown The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. `There are a number of problems with this text...
The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.
is grammatically broken and otherwise muddled.
Removing words might help a bit...
Removing one word probably yields the opposite of the intended meaning:
The presence or absence of any proxy-based components might cause attacks against the application to be detected, prevented, or mitigated.
at this point, changing detected, prevented, and mitigated to other things could enable the sentence to make sense in context, maybe.
Other Info: `Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server:
Unknown The following web/application server has been identified:
Unknown
So, nothing has actually been identified, which is very confusing/misleading/unhelpful. It took reading the code and hunting around to figure out what the component was actually thinking.
Attack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.
This turned out to be an incredibly large red-herring -- nothing about what was discovered had anything to do with TRACE, OPTIONS, Max-Forwards or TRACK.
Steps to reproduce the behavior
- Enable ProxyDisclosureScanRule
- Do some sort of browse to https://api.test.glaypen.garnercorp.com/say-what-you-want
- Trigger the ProxyDisclosureScanRule
- Generate a report
- Read the report for Proxy Disclosure
Expected behavior
As the logic has not identified anything relating to TRACE, OPTIONS or TRACK, and as the logic has not (successfully) relied on Max-Forwards, the message should clearly indicate what is actually bothering the rule (which is apparently the presence of one or more X-Forwarded- headers).
Software versions
macOS Sonoma 14.5
ZAP 2.15.0
I can't tell if ProxyDisclosureScanRule is a built-in -- the add-ons manager isn't showing it to me...
Screenshots
Errors from the zap.log file
The log has lots of errors (including hilarious errors from 2022), but nothing particularly relevant.
Additional context
Would you like to help fix this issue?
- Yes