Details
Alert Id 10056
Alert Type Passive
Status release
Risk Low
CWE 200
WASC 13
Technologies Targeted All
Tags OWASP_2017_A03
OWASP_2021_A01
WSTG-V42-ERRH-01

Summary

The response contained an X-Debug-Token or X-Debug-Token-Link header. This indicates that Symfony’s Profiler may be in use and exposing sensitive data.

Solution

Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.).

References

Code

org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java