Details
Alert ID 10056
Alert Type Passive
Status release
Risk Low
CWE 200
WASC 13
Technologies Targeted All
Tags CWE-200
OWASP_2017_A03
OWASP_2021_A01
WSTG-V42-ERRH-01
More Info Scan Rule Help

Summary

The response contained an X-Debug-Token or X-Debug-Token-Link header. This indicates that Symfony’s Profiler may be in use and exposing sensitive data.

Solution

Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.).

Other Info

By accessing a URL in the form https://target_host/_profiler/token_value (i.e.: https://example.com/_profiler_/123ab4), you may gain access to the profiler and further leaked information.

References

Code

org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java