Comments (7)
Hi, @dennisarriola
The response is not conclusive yet. Further investigation on your web server has to be conducted.
CONTEXT:
The "Cloud Metadata Potentially Exposed" alert only means that your web server is not blocking the use of "169.254.169.254" in the "host" header of the http request. As a best practice, requests like this has to be blocked. Your web server might have a proxy setting that uses the "host" header for routing messages, but your web server should never route to "169.254.169.254" as information (cloud instance/infrastructure information) from this IP address can compromise your whole cloud environment.
Some web servers use the "host" header from the http request to route the message to the IP address or domain indicated. This happen when your web server acts as a proxy and has a similar configuration like below
location / {
proxy_pass http://$host; # To repeat: don't do this!
}
this configuration is an example from NGINX.
NEEDED ACTION:
If your web server is acting as a proxy, you must block requests with "host" value of "169.254.169.254". Normally, there's no reason for you to route requests to this IP address.
If your server is not a proxy, better to remove any similar configuration.
FURTHER INFO AND DISCUSSION:
https://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/
Tell me, if this explanation has been helpful.
from zaproxy.
The ZAP User Group is a better place for this kind of questions: https://groups.google.com/g/zaproxy-users
from zaproxy.
Hello @bj-taduran,
Thank you for your detailed explanation!
Definitely, your answer helps us a lot understanding this "Cloud Metadata Potentially Exposed" vulnerability item.
I have additional questions tho.
You've mentioned that "Further investigation on your web server has to be conducted" and suggested some NEEDED ACTION, upon checking, our web server has a feature that can connect to a proxy server, in relation to your suggested NEEDED ACTTION, if we block requests with "host" value of "169.254.169.254", will this fix this finding ("Cloud Metadata Potentially Exposed")? And this wont be included in the rescan?
Thank you very much, kabayan.
Pinoy din ako. :D
from zaproxy.
Agree, that is the appropriate solution since your server is acting as a proxy.
If you return 4XX, or 5XX on similar requests with "host header" pointing to the said 169.254.169.254, this alert should not show up on the re-scan.
Hanep. hehe
from zaproxy.
Where do you see it's acting as a proxy?
from zaproxy.
"our web server has a feature that can connect to a proxy server"
I might be mistaken.
@dennisarriola , can you clarify? If you meant that your web server has a "proxy server" feature configured - - that means it is acting as a proxy. If not - - then, we are not interested at the results, you can declare it as false positive
, but do block the request given the conditions as a best practice.
from zaproxy.
Hello @thc202, @bj-taduran,
Thanks for clarifying.
Our web server can be configured to connect to a proxy server (different PC) to allow connection from our web server to internet needed for our application to work. This case is only applicable if the network environment needs proxy to connect outside of the company network.
Hope this will help.
Thank you again~
from zaproxy.
Related Issues (20)
- Separate nodes for multipart/form-data POSTs to same URL with different parameters
- ZAP should display popup message when autoscan complete HOT 5
- issue when installing the new version HOT 9
- Getting High Alert ("SQL injection may be possible"), whie we are not using sql in the application. HOT 7
- ZAP ascanrules plugin detected by Bitdefender as trojan when starting on Windows 10 x64 HOT 1
- OpenAPI Import vnd.api+json support HOT 1
- ZAP 2.15.0 installer (Windows x64) detected as malicious by Microsoft Defender Antivirus HOT 17
- The default view of opening fuzzer window, can not add locations HOT 3
- ZAP crashed when autoscanning specific site on Windows 10 x64 HOT 4
- Certificate regeneration has problem with local servers, NPE in ExtensionNetwork.java line 1151 HOT 2
- HAR import fails silently HOT 7
- Heartfelt thank you HOT 3
- False Positive - Cookie Slack Detector
- false positive of sql Injection
- Unable to generate the report HOT 4
- Provided browser was not found error in ZAP. HOT 1
- ZAP creates an incorrect Authorization header when testing APIs HOT 7
- Failed to attack URL error appeared during autoscan specific site HOT 5
- UI search not highlighting correctly HOT 2
- False Positive results due to receiving a successful response HTTP/1.1 200 OK HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zaproxy.