Details
Alert Id 10056
Alert Type Passive Scan Rule
Status release
Risk
CWE
WASC

Summary

The response contained an X-Debug-Token or X-Debug-Token-Link header. This indicates that Symfony's Profiler may be in use and exposing sensitive data.

Solution

Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.).

References

Code

org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java