"Cloud Metadata Potentially Exposed" Correct Response Inquiry about zaproxy HOT 7 CLOSED

Hi, @dennisarriola

The response is not conclusive yet. Further investigation on your web server has to be conducted.

CONTEXT:

The "Cloud Metadata Potentially Exposed" alert only means that your web server is not blocking the use of "169.254.169.254" in the "host" header of the http request. As a best practice, requests like this has to be blocked. Your web server might have a proxy setting that uses the "host" header for routing messages, but your web server should never route to "169.254.169.254" as information (cloud instance/infrastructure information) from this IP address can compromise your whole cloud environment.

Some web servers use the "host" header from the http request to route the message to the IP address or domain indicated. This happen when your web server acts as a proxy and has a similar configuration like below

location / {
    proxy_pass http://$host; # To repeat: don't do this!
}

this configuration is an example from NGINX.

NEEDED ACTION:

If your web server is acting as a proxy, you must block requests with "host" value of "169.254.169.254". Normally, there's no reason for you to route requests to this IP address.

If your server is not a proxy, better to remove any similar configuration.

FURTHER INFO AND DISCUSSION:
https://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/

Tell me, if this explanation has been helpful.

from zaproxy.

See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#instance-metadata-ex-2

The ZAP User Group is a better place for this kind of questions: https://groups.google.com/g/zaproxy-users

from zaproxy.

Hello @bj-taduran,

Thank you for your detailed explanation!
Definitely, your answer helps us a lot understanding this "Cloud Metadata Potentially Exposed" vulnerability item.

I have additional questions tho.
You've mentioned that "Further investigation on your web server has to be conducted" and suggested some NEEDED ACTION, upon checking, our web server has a feature that can connect to a proxy server, in relation to your suggested NEEDED ACTTION, if we block requests with "host" value of "169.254.169.254", will this fix this finding ("Cloud Metadata Potentially Exposed")? And this wont be included in the rescan?

Thank you very much, kabayan.
Pinoy din ako. :D

from zaproxy.

Agree, that is the appropriate solution since your server is acting as a proxy.
If you return 4XX, or 5XX on similar requests with "host header" pointing to the said 169.254.169.254, this alert should not show up on the re-scan.

Hanep. hehe

from zaproxy.

Where do you see it's acting as a proxy?

from zaproxy.

"our web server has a feature that can connect to a proxy server"

I might be mistaken.

@dennisarriola , can you clarify? If you meant that your web server has a "proxy server" feature configured - - that means it is acting as a proxy. If not - - then, we are not interested at the results, you can declare it as false positive, but do block the request given the conditions as a best practice.

from zaproxy.

Hello @thc202, @bj-taduran,

Thanks for clarifying.

Our web server can be configured to connect to a proxy server (different PC) to allow connection from our web server to internet needed for our application to work. This case is only applicable if the network environment needs proxy to connect outside of the company network.

Hope this will help.
Thank you again~

from zaproxy.