I performed an OWASP ZAP on my website and it raised a proxy disclosure alert amongst other things.
Proxy Disclosure alert https://www.zaproxy.org/docs/alerts/40025/
OWASP description 1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine
A list of targets for an attack against the application.
Potential vulnerabilities on the proxy servers that service the application.
The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.
Suggested Solution
Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server. Disable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing). Configure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages. Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.
Attempt I have made so far: I followed the advice of from this website and added a condition to disable PATCH, TRACE and OPTIONS to the nginx.conf. Not sure if that is working and if I did that correctly. Any advice on fixing 'Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers'? Thanks.
http-request-methods.html server{ if ($request_method ~ ^(PATCH|TRACE|OPTIONS)$){ return 405; } }
nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
include /etc/nginx/proxy.conf;
server_tokens off;
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
client_body_timeout 10;
types_hash_max_size 2048;
upstream portal {
server 127.0.0.1:5002;
}
upstream api {
server 127.0.0.1:5000;
}
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml applicati>
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
server{
if ($request_method ~ ^(PATCH|TRACE|OPTIONS)$){
return 405;
}
}
}
답변1
I think you’re on the right track.
Any advice on fixing 'Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers'? Thanks.
server_tokens off;
proxy_hide_header X-Powered-By;
Then reload Nginx.
You may want to run another test to ensure you fixed the vulnerabilities.